View gist:3c9a98f7761440d0d369e40379174bea
<6>[ 23.576563] PM: noirq resume of devices complete after 1.064 msecs
<6>[ 23.578032] last active wakeup source: 800f000.qcom,spmi:qcom,pmi8998@2:qpnp,fg
<6>[ 23.578695] PM: early resume of devices complete after 0.683 msecs
<6>[ 23.579085] CPU4: update max cpu_capacity 816
<6>[ 23.584133] CPU3: update max cpu_capacity 1024
<6>[ 23.595941] PM: resume of devices complete after 17.241 msecs
<6>[ 23.596774] Restarting tasks ... done.
<6>[ 23.625721] PM: suspend exit 2018-05-29 06:19:12.102992243 UTC
<6>[ 23.725866] PM: suspend entry 2018-05-29 06:19:12.203132186 UTC
<6>[ 23.755710] Freezing user space processes ... (elapsed 0.003 seconds) done.
View gist:f97885fb81215dc006825092e647f04c
====1519734976.728230
Oops#1 Part1
<6>[20180227_20:36:16.602139]@1 wlan: loading driver v4.0.11.144
<6>[20180227_20:36:16.677694]@1 PM: suspend entry 2018-02-27 12:36:16.677657367 UTC
<4>[20180227_20:36:16.704389]@1 Freezing user space processes ... (elapsed 0.026 seconds) done.
<4>[20180227_20:36:16.714233]@1 Freezing remaining freezable tasks ... (elapsed 0.009 seconds) done.
<4>[20180227_20:36:16.714273]@1 Suspending console(s) (use no_console_suspend to debug)
<6>[20180227_20:36:16.720902]@1 R0: wlan: [4845:E :VOS] vos_get_context: Module ID 18 context is Null
<1>[20180227_20:36:16.720978]@1 Unable to handle kernel NULL pointer dereference at virtual address 00000280
<1>[20180227_20:36:16.721006]@1 pgd = 0000000000000000
View Wannacrypt0r-FACTSHEET.md

WannaCry|WannaDecrypt0r NSA-Cybereweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm.

SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx