Immediately after infiltration, WannaSmile encrypts most stored data and adds the ".WSmile" extension to each filename. For instance, "sample.jpg" is renamed to "sample.jpg.WSmile". From this point, the file becomes unusable.
Once files are encrypted, WannaSmile creates a "How to decrypt files.html" file and places it on the desktop. This file contains a ransom-demand message.