SECURITY EVANGELIST

WannaCry distribution may have dropped, but the ransomware pandemic is not over.

As we feared in yesterday’s alert, another ransomware variant, known as Uiwix, has been spotted in the wild, exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used. Cyber criminals are quick to incorporate vulnerabilities, especially when they have the potential to infect a large number of targets like the EternalBlue exploit has.

[Please see the Later Edit below.]

As expected, this strain does not include a killswitch domain, like WannaCry did.

We reckon that this is the first of many variants to follow, which will aim to exploit this vulnerability and infect as many devices as possible until the necessary patch is applied.  

Uiwix works in the same way as other ransomware variants. When the encryption starts, it adds the .uiwix extension to all the infected files. Additionally, it will drop a text file called “_DECODE_FILES.txt” that contains the requirement for decryption payment.

The content of the text file is the following:

>> ALL YOUR PERSONAL FILES ARE DECODED <<<

Your personal code: [% unique ID%]

To decrypt your files, you need to buy special software.
Do not try to decode or modify files, it may be broken.

To restore data, follow the instructions!

You can learn more at this site:

https://4ujngbdqqm6t2c53.onion [.] two
https://4ujngbdqqm6t2c53.onion [.] cab
https://4ujngbdqqm6t2c53.onion [.] Now

If a resource is unavailable for a long time to install and use the tor browser.

After you start the Tor browser you need to open this link http://4ujngbdqqm6t2c53[.]onion

The relevant TOR link moves the victim to a payment gateway, which charges 0.11943 bitcoins corresponding to about $218.

uiwix ransom note

Uiwix poses an even bigger threat than WannaCry ransomware because it does not include a kill switch domain which can contain its distribution. With no dial back option to block, the only way of protecting against it at the moment is to patch the affected operating systems (list in yesterday’s alert).

Since the analysis is ongoing, we will add details about IoCs, C&Cs, the number of infections and affected countries shortly.

Later edit [May 16, 2017, 12 AM EST]:

For the moment, we will not be adding further technical details to this article. Our researchers (as well as others) have spotted the Uiwix sample in the wild and, as a consequence, we felt the responsible thing to do is to alert users that this strain is in circulation, so they can take preemptive measures, like we advised in this guide. Our efforts to obtain and fully analyze a sample after an attack have not been successful. Should anything change, we will properly update this alert to correspond the context. The title was also edited (originally called “Security Alert: Uiwix Ransomware Is Here and It Can Be Worse Than Wannacry”).

Later edit [May 20, 2017, 9:30 AM EST] A researcher (not affiliated with Heimdal) managed to analyze and submit a Uiwix sample to VirusTotal. The current detection rate is 45/62.

What’s more, researchers have already uncovered a WannaCry strain that also doesn’t include the kill switch domain.

Also, Europol has also confirmed that the threat is escalating and the number of infections is growing. It has now affected “more than 200,000 victims in 150 countries”.

The reasons behind this ransomware outbreak

This ransomware attack has become so extensive because it abuses various security holes in Windows SMBv1 and SMBv2, which most users have left unpatched, in spite of the critical update released by Microsoft in March 2017.

SMB (Server Message Block Protocol):
This is a file sharing protocol that allows operating systems and applications to read and write data to a system. It also allows a system to request services from a server.

Source.

This protocol operates as an application-layer network protocol and it’s used to provide shared access to files, printers and other devices connected to a local network.

For the past 4 months, cyber security researchers, along with US-CERT, have warned that this protocol can expose systems to remote code execution and denial-of-service exploits.

Attackers are easily able to exploit these vulnerabilities in a network if it’s enabled because, even when the system uses SMB v2 or v3, if the attacker can downgrade the communication to SMB v1, he can exploit the system. This is where the man-in-the-middle attack of a Windows SMB v1-enabled system can become an issue, even if it’s not being used.

Source.

Applying this patch depends on individual users and sysadmins, but also on hardware infrastructure and costs to upgrade software to the newest versions. This requires concerted efforts from companies as a whole, which is why vulnerabilities such as this one leave backdoors that cyber criminals routinely abuse.

However, we’ve never seen it happen at this level before.

If you can’t patch your systems, make sure that you disable Windows SMBv1:

Here is a useful link from Microsoft: How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server

However, US-CERT advises users and and administrators to also ensure that they are “blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.”

Actionable guide: How to Apply the Windows Update that Patches the EternalBlue SMB Exploit

Another way this attack can happen is when a vulnerable PC connects to a public Wi-fi network and goes directly online and then created a VPN for a corporate network. This could enable the infection to spread even further!

So far, the cyber criminals behind the WannaCry spree have made around $26000, but the damage incurred by companies and public organizations goes far beyond the cost of the ransom itself. That is why prevention plays a critical role in our future going forward.

We cannot emphasize enough how important preemptive security measures are, to keep WannaCry, Uiwix and other ransomware strains from self-replicating on your computer or in your networks.

Ensure that your endpoints are patched, isolate those computers who aren’t up to date and restrict access to SMB, while also ensuring that you have adequate antimalware and antivirus protection running.

*This article features cyber intelligence provided by CSIS Security Group researchers.

What is Ransomware
2017.05.15 SLOW READ

What is Ransomware and 15 Easy Steps To Keep Your System Protected [Updated]

ransomware attack wave wannacry 0D0A35
2017.05.13 INTERMEDIATE READ

Security Alert: WannaCry Leaves Exploited Computers Vulnerable to Round Two

ransomware-distribution-in-companies
2016.04.01 QUICK READ

Ransomware Distribution: How One Infection Can Go Network-Wide

Comments

WANNACRY – 3rd Kill-Switch Domain & New Dropper

New WannaCry Dropper :

hxxp://50.87.6.157/ajax/wanacry[.]exe
hxxp://www.neiscoegypt.com/ajax/wanacry[.]exe

New WannaCry KillSwitchDomain :

hxxp://www.ayylmaoTJHSSTasdfasdfasdfasdfasdfasdfasdf[.]com/

looking forward to the virustotal

Do you still stand by this statement?

Uiwix, has begun to spread by exploiting the same vulnerability in Windows SMBv1 and SMBv2

If so – can you share hashes please. Others haven’t identified this.

If this was a mistake – then that’s fine, but please edit your blog to say so.

Any updates on the IOCs?

You have the kill switch wrong. You should NOT block the domain, you should let your computers talk to it. Only then, Wannacry stops.

Hi Michalis! Our post was prior to the domain being registered. We have updated the post to reflect the current situation. We are not blocking the killswitch domain.

Unless my English fails me, I understand your wording is wrong:
“it does not include a kill switch domain which, when blocked, can contain its distribution”

Do you have a link to virustotal.com?

Hi Morten! We’ll update the article shortly to include it.

If you have any infected systems try decrypting the encrypted files using this code ” WNcry@2ol7 “. This code worked fine for one of my friend.

which decryptor u used?

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP