Skip to content

Instantly share code, notes, and snippets.

Vladimir Ivanov ivladdalvi

Block or report user

Report or block ivladdalvi

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm.




  • nftp - nopen-aware file transfer program, see Linux/doc/README.nftp, Linux/doc/nftp.1
  • NOPEN - NSA RAT, real progs are noclient and noserver
  • PITCHIMPAIR - redirector.
  • STOICSURGEON - utility to cloak processes and files on Linux, Solaris and, possibly, FreeBSD Linux/doc/old/etc/user.tool.stoicsurgeon.COMMON
  • STRIFEWORLD - TCP session recorder, sniffer, see Linux/doc/strifeworld.1
  • YELLOWSPIRIT, YS - Linux/bin/
ivladdalvi /
Created Oct 25, 2016
Just a frequency analysis
import string
t = open("trump", "r")
words = {}
for line in t:
for w in line.split():
word = string.strip(w, ":,.\"").lower()

Keybase proof

I hereby claim:

  • I am ivladdalvi on github.
  • I am ivlad ( on keybase.
  • I have a public key whose fingerprint is C9E9 7316 03A0 BAC8 8838 AB26 0366 0B02 05F5 A398

To claim this, I am signing this object:

You can’t perform that action at this time.