BAE Systems analyzed WanaCrypt0r as a ransomware worm that spread globally after the ETERNALBLUE SMB exploit became publicly available. The executable checked a hard-coded domain before launching its payload, registered itself as a service, and used worm functionality to replicate across networks, with SMB exposure and MS17-010 exploitation central to the observed spread. The ransomware unpacked embedded resources into a working directory, used a mutex and registry value for execution state, bundled Tor tooling, and selected from three hard-coded Bitcoin wallets for ransom payment. The excerpt says the initial infection vector was still unknown and notes that some phishing claims were linked to a separate Jaff ransomware campaign, making SMB exposure the better-supported propagation path in the text.