View gist:f97885fb81215dc006825092e647f04c
Oops#1 Part1
<6>[20180227_20:36:16.602139]@1 wlan: loading driver v4.0.11.144
<6>[20180227_20:36:16.677694]@1 PM: suspend entry 2018-02-27 12:36:16.677657367 UTC
<4>[20180227_20:36:16.704389]@1 Freezing user space processes ... (elapsed 0.026 seconds) done.
<4>[20180227_20:36:16.714233]@1 Freezing remaining freezable tasks ... (elapsed 0.009 seconds) done.
<4>[20180227_20:36:16.714273]@1 Suspending console(s) (use no_console_suspend to debug)
<6>[20180227_20:36:16.720902]@1 R0: wlan: [4845:E :VOS] vos_get_context: Module ID 18 context is Null
<1>[20180227_20:36:16.720978]@1 Unable to handle kernel NULL pointer dereference at virtual address 00000280
<1>[20180227_20:36:16.721006]@1 pgd = 0000000000000000

WannaCry|WannaDecrypt0r NSA-Cybereweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm.