Cisco's Talos team analysis of WannaCry worm

&gt; .der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .sxw, .stw, .3ds, .max, .3dm, .ods, .sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .mdf, .ldf, .cpp, .pas, .asm, .cmd, .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .mkv, .flv, .wma, .mid, .m3u, .m4u, .svg, .psd, .tiff, .tif, .raw, .gif, .png, .bmp, .jpg, .jpeg, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .ARC, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt, .msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotm, .dot, .docm, .docx, .doc<p>Phewww! Good thing I&#x27;m using .tex to write my thesis and write most of my code in .py... lol

Apart from the invididual victims, ransomware seems like it should have a good effect on computer security overall since it actually harms the people who get infected and motivates them to do security better. Most viruses keep quiet so people don&#x27;t know or care if they&#x27;re infected and contributing to DDOSs or spreading to others. I sometimes use computers that have obvious viruses on them, and it the people running them just let it happen because it doesn&#x27;t stop their work.

There are some bitcoins flowing in into their wallet<p><a href="https:&#x2F;&#x2F;blockchain.info&#x2F;address&#x2F;115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" rel="nofollow">https:&#x2F;&#x2F;blockchain.info&#x2F;address&#x2F;115p7UMMngoj1pMvkpHijcRdfJNX...</a>

&quot;it is simply scanning accessible servers for the presence of the DOUBLEPULSAR backdoor. In cases where it identifies a host that has been implanted with this backdoor, it simply leverages the existing backdoor functionality available and uses it to infect the system with WannaCry.&quot; - Not a security person but that seems pretty clever, and incredibly worrying. I presume we&#x27;ll see more of this type of attack in the future - but curious if this has been a popular vector of compromising in the past? Also curious about what a &#x2F; how a killswitch domain works?

I&#x27;ve seen a few mentions of something along the lines of &quot;The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption.&quot;<p>I&#x27;m not super well versed in crypto, but is this possible? I assume they use symmetric encryption and then RSA encrypt the symmetric keys?

Unreadable on Chrome on iOS <a href="https:&#x2F;&#x2F;i.imgur.com&#x2F;j13tqGn.png" rel="nofollow">https:&#x2F;&#x2F;i.imgur.com&#x2F;j13tqGn.png</a>

Is there a domain we can connect to with https?<p>Seems strange that an article as important as this wouldn&#x27;t be served securely.