A littler over a week ago, a member posted a topic in our forums looking for help regarding a new ransomware that they were infected with. For this particular victim, the ransomware was appending the _2883765424.UIWIX extension to their files and was creating ransom notes named _DECODE_FILES.txt. Over the next few days, a few more victims posted in the thread and we saw an increasing amount of encrypted files submitted to our malware submission system and ID-Ransomware.
Unfortunately, as hard as we tried, we were not able to find a sample of the Uiwix ransomware. That is until, a totally unrelated ransomware outbreak pushed the EternalBlue SMBv1 exploit into the spotlight. This past Friday, a massive ransomware outbreak called WannaCry was launched through a worm that infected computers using an alleged NSA exploit called EternalBlue.
This exploit allows attackers to gain access to vulnerable computers by exploiting a bug in the SMBv1 protocol, which Microsoft had patched back in March. Due to this researchers setup SMB honeypots to look for WannaCry samples that were in the wild, which inadvertently led security researchers Benkow moʞuƎq and Kevin Beaumont to discover that Uiwix was utilizing the same EternalBlue exploit to infect it's victims.
Actually, there is several ransomware over SMB today (ransomware UIWIX) pic.twitter.com/GD383kSaU3— Benkow moʞuƎq (@benkow_) May 13, 2017
SMB EternalBlue honeypot in France just got hit with a new (?) ransomware - can anybody identify it? pic.twitter.com/iqJaq7eX0i— Kevin Beaumont (@GossiTheDog) May 17, 2017
While Uiwix is still being researched, there is some info that we can discern about how it works and how it spreads.
As already stated, Uiwix is currently infecting victims using the EternalBlue exploit. Rather than the ransomware being self-propagating like WannaCry, though, the developers of Uiwix are most likely scanning for and using a script that infects vulnerable computers.
Beaumont also reported that when a victim becomes infected with the ransomware, it will not be written to disk. Instead this ransomware will run directly from memory and begin infecting the computer. This makes it difficult for most security programs to properly detect that this program is running and thus prevent it from encrypting a victim's data.
This is why it is so important that everyone makes sure the MS17-010 security updates released by Microsoft for the EternalBlue vulmerability are installed. If you are no longer using a supported Windows version, Microsoft has released updates for Windows XP, Windows 8, and Windows Server 2003, which typically no longer receive security updates. For more information about these out-of-band updates, you can read the following story: Microsoft Releases Patch for Older Windows Versions to Protect Against Wana Decrypt0r.
While details are scant right now and more information will probably be available tomorrow, below is what we currently know about the Uiwix Ransomware.
Uiwix contains anti-vm technology that makes it difficult to run on virtual machines. When run, it will detect if the DLL is running in Vmware, VirtualBox, Virtual PC, Sunbelt Sandbox, Sandboxie, Cuckoo, and if the system is using Vmware's Host-Guest File System (HGFS),. If it is, the DLL will simply not do anything.
To check for virtual machines, Uiwix will search for the following virtual devices:
\\\\.\\pipe\\cuckoo \\\\.\\VBoxMiniRdrDN \\\\.\\VBoxGuest \\\\.\\pipe\\VBoxMiniRdDN \\\\.\\VBoxTrayIPC \\\\.\\pipe\\VBoxTrayIPC \\\\.\\HGFS \\\\.\\vmci
The files it checks for are:
SbieDll.dll api_log.dll dir_watch.dll pstorec.dll wpespy.dll cmdvrt32.dll SxIn.dll snxhk.dll dbghelp.dll vmcheck.dll VBoxHook.dll VBoxMRXNP.dll
When a computer is encrypted with Uiwix it will create a 10 digit victim code that is associated with the particular victim. This code is also utilized as part of the extension appended to encrypted files. When a file is encrypted by Uiwix, the ransomware will append ._[10_digit_victim_id].UIWIX to the file's name. For example, a file called test.jpg would be encrypted and then named as test.jpg._1641661628.UIWIX.
It is currently not confirmed what encryption algorithm is being used to encrypt a victim's files, but based on strings in the executable it may be a mixture of AES and RC4.
When Uiwix encrypts a computer it will also create ransom notes named _DECODE_FILES.txt. These ransom notes contain instructions on how to connect to the ransomware's payment site in order to pay the ransom.
Currently the payment site is located at http://4ujngbdqqm6t2c53.onion and demands a ransom payment of $200 USD.
There are also some strings that may indicate it tries to steal account information from IE, Firefox, Edge, Filezilla, Pidgen, and other programs. This needs to be confirmed and is solely being stated based on the strings found in the DLL.
As this ransomware is further researched and more details are available, I will update the article. In the meantime, for those who are infected or wish to discuss this ransomware, you can use our dedicated Uiwix Help & Support Topic.
https://4ujngbdqqm6t2c53.onion.to https://4ujngbdqqm6t2c53.onion.cab https://4ujngbdqqm6t2c53.onion.nu https://4ujngbdqqm6t2c53.onion.to https://4ujngbdqqm6t2c53.onion.cab http://4ujngbdqqm6t2c53.onion https://netcologne.dl.sourceforge.net/project/cyqlite/3.8.5/sqlite-dll-win32-x86-3080500.zip http://sqlite.org/2014/sqlite-dll-win32-x86-3080500.zip
>>> ALL YOUR PERSONAL FILES ARE DECODED <<< Your personal code: [10_digit_victim_id] To decrypt your files, you need to buy special software. Do not attempt to decode or modify files, it may be broken. To restore data, follow the instructions! You can learn more at this site: https://4ujngbdqqm6t2c53.onion.to https://4ujngbdqqm6t2c53.onion.cab https://4ujngbdqqm6t2c53.onion.nu If a resource is unavailable for a long time to install and use the tor browser. After you start the Tor browser you need to open this link http://4ujngbdqqm6t2c53.onion