Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.UIWIX Ransomware Help & Support Topic (.uiwix & _DECODE_FILES.txt)


  • Please log in to reply
10 replies to this topic

#1 StevyC

StevyC

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 09 May 2017 - 07:56 PM

Hi,

yesterday most of my files changed extension and now they are like name of file then an ID then .UIWIX for example a link on desktop now has this name "Malwarebytes Anti-Malware.lnk._2883765424.UIWIX" . On the desktop there is a file called "_DECODE_FILES.txt" with this text:

 

>>> ALL YOUR PERSONAL FILES ARE DECODED <<<

Your personal code: 2883765424

To decrypt your files, you need to buy special software.
Do not attempt to decode or modify files, it may be broken.
To restore data, follow the instructions!

You can learn more at this site:
https://4ujngbdqqm6t2c53.onion.to
https://4ujngbdqqm6t2c53.onion.cab
https://4ujngbdqqm6t2c53.onion.nu

If a resource is unavailable for a long time to install and use the tor browser.
After you start the Tor browser you need to open this link http://4ujngbdqqm6t2c53.onion

 

 

I tried to upload this file on the ID Ransomware page but it was unable to determine.

I scanned and removed all files found by Malwarebytes.

What variant of ransomware is this? is there a possibility that i can decrypt my files?

 

Thanks in advance

Steve


Edited by StevyC, 09 May 2017 - 07:57 PM.


BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:28 AM

Posted 09 May 2017 - 08:13 PM

I was just taking a look at your ransom note, saw it get tagged as a potentially new note. I believe it to be new.

 

We'll need a sample of the malware in order to analyze it.

 

If you find the malware, you may submit it along with a few encrypted files and their originals for analysis here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

Do you know how you got it? Email attachment, downloaded something, RDP hack, etc? Hopefully you didn't actually delete the malware itself with MalwareBytes; it's always best to quarantine until you know what you're dealing with.

 

From taking a quick look at some files submitted the last day from a few victims, it looks like only about 10,240 bytes are encrypted, and there are 36 bytes appended to the end of the file.

 

I have added a rule to IDR to point victims to this topic.


Edited by Demonslay335, 09 May 2017 - 08:39 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 mcinon

mcinon

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 11 May 2017 - 04:36 PM

>>> ALL YOUR PERSONAL FILES ARE DECODED <<<
 
Your personal code: 2040730796
 
To decrypt your files, you need to buy special software.
Do not attempt to decode or modify files, it may be broken.
To restore data, follow the instructions!
 
You can learn more at this site:
 
If a resource is unavailable for a long time to install and use the tor browser.
After you start the Tor browser you need to open this link http://4ujngbdqqm6t2c53.onion
 
 
cryptolocker removed but i have no backup and my disk was almost full so i cant undelete the files, any idea on how to decrypt my files?
thanks in advance


#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:28 AM

Posted 12 May 2017 - 09:10 AM

We won't know anything until we get ahold of the malware to analyze whether it has a weakness. If you removed the malware, you can try to restore it to submit to us; otherwise, you shot yourself in the foot.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 StevyC

StevyC
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 12 May 2017 - 09:50 AM

Now i had another attack from another ransomware it encrypt other files with .wncry entension, i really don't understand how it can be possible.

If you want i have the folder with all the exe responsible of this new infection.



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:28 AM

Posted 12 May 2017 - 09:53 AM

Now i had another attack from another ransomware it encrypt other files with .wncry entension, i really don't understand how it can be possible.

If you want i have the folder with all the exe responsible of this new infection.

 

Were your files double-encrypted then, and have both extensions?

 

It is suspected the WannaCry 2.0 is coming through RDP hacks, and could be spread to other systems via SMB exploits. If you have RDP open to the world, and don't have the very latest security patches on all workstations, then you were probably easily susceptible to it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 StevyC

StevyC
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 12 May 2017 - 10:08 AM

no i have some files encrypted with uiwix and some with wncry, fortunately it encrypted only a few files cause I ended it in task manager.

How can I stop attack via RDP?

Thanks


Edited by StevyC, 12 May 2017 - 10:08 AM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:28 AM

Posted 12 May 2017 - 10:09 AM

WCry ransomware explodes in massive distribution wave
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 kafetero

kafetero

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 12 May 2017 - 10:44 AM

I'm looking for a sample of wcry 2.0 to work on data recovery procedures, can somebody provide a link?

 

Thanks,



#10 rvrm

rvrm

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 12 May 2017 - 04:05 PM

Hi, everyone. I just got a db server affected by this. We have quarantine the server in hopes of any future recovery option.

Does anybody know where could the executable of the ransomware be or what names could it use?

 

Cheers.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:28 AM

Posted 12 May 2017 - 04:11 PM

These are some common folder variable locations malicious executables and .dlls hide:
  • %SystemDrive%\ (C:\)
  • %SystemRoot%\ (C:\Windows, %WinDir%\)
  • %UserProfile%\
  • %UserProfile%\AppData\Roaming\
  • %AppData%\
  • %LocalAppData%\
  • %ProgramData%\ / %AllUserProfile%\
  • %Temp%\ / %AppData%\Local\Temp\
Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

Check the history logs and quarantine folders for your anti-virus and other security scanning tools to see if they found and removed any malware possibly related to the ransomware.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users