Linguistic analysis of the ransom notes indicated the authors were likely fluent in Chinese and proficient in English, as the versions of the notes in those languages were probably human-written while the rest seemed to be machine-translated.As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of around 0 in bitcoin within three days, or 0 within seven days.
If wanting to decrypt all the files, you need to pay the "ransom".
In a controlled testing environment, the cybersecurity firm Kryptos Logic found that they were unable to infect a Windows XP system with Wanna Cry using just the exploits, as the payload failed to load, or caused the operating system to crash rather than actually execute and encrypt files.
However, when executed manually, Wanna Cry could still operate on Windows XP.
While this did not help already infected systems, it severely slowed the spread of the initial infection and gave time for defensive measures to be deployed worldwide, particularly in North America and Asia, which had not been attacked to the same extent as elsewhere.
It was discovered that Windows encryption APIs used by Wanna Cry may not completely clear the prime numbers used to generate the payload's private keys from the memory, making it possible to potentially retrieve the required key if they had not yet been overwritten or cleared from resident memory.