Skip to content

Instantly share code, notes, and snippets.

@Epivalent
Created May 12, 2017 20:17
  • Star 26 You must be signed in to star a gist
  • Fork 19 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save Epivalent/e20d975297dcb57d4a5802b025e80e2c to your computer and use it in GitHub Desktop.

WannaCry|WannaDecrypt0r NSA-Cybereweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.

SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Malware samples

Binary blob in PE crypted with pass 'WNcry@2ol7'

Informative Tweets

Cryptography details

  • encrypted via AES
  • AES key generated with a CSPRNG
  • AES key is encrypted by RSA

Bitcoin ransom addresses

C&C centers

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52ma.onion

Languages

All language ransom messages available here: https://transfer.sh/y6qco/WANNACRYDECRYPTOR-Ransomware-Messages-all-langs.zip

m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch, m_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese, m_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish, m_swedish, m_turkish, m_vietnamese

@roycewilliams
Copy link

Very active fork here, updates being crowdsourced: https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment