jorpic

#!/usr/bin/env python

# ref. http://bitcoin.stackexchange.com/questions/30727
# partially copy-pasted from https://github.com/ethereum/pyethsaletool

import pbkdf2 as PBKDF2
import python_sha3
import aes
import sys
import json

rmkane

[ {
    "Date" : "2016-07-30",
    "Data" : {
        "Moves" : [
            { "ID" : 13,  "Key" : "Power",  "Old Value" : 15, "New Value" : 25 },
            { "ID" : 14,  "Key" : "Power",  "Old Value" : 70, "New Value" : 120 },
            { "ID" : 18,  "Key" : "Power",  "Old Value" : 25, "New Value" : 30 },
            { "ID" : 20,  "Key" : "Power",  "Old Value" : 15, "New Value" : 25 },
            { "ID" : 21,  "Key" : "Power",  "Old Value" : 35, "New Value" : 40 },
            { "ID" : 22,  "Key" : "Power",  "Old Value" : 55, "New Value" : 80 },

rain-1

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

• Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
• Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
• Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
• Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
• Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru