Security Alert: Uiwix Ransomware Could Add to WannaCry Damage [Updated]
Cyber criminals are flooding the market with ransomware
WannaCry distribution may have dropped, but the ransomware pandemic is not over.
As we feared in yesterday’s alert, another ransomware variant, known as Uiwix, has been spotted in the wild, exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used. Cyber criminals are quick to incorporate vulnerabilities, especially when they have the potential to infect a large number of targets like the EternalBlue exploit has. [Please see the Later Edit below.] As expected, this strain does not include a killswitch domain, like WannaCry did. We reckon that this is the first of many variants to follow, which will aim to exploit this vulnerability and infect as many devices as possible until the necessary patch is applied. Uiwix works in the same way as other ransomware variants. When the encryption starts, it adds the .uiwix extension to all the infected files. Additionally, it will drop a text file called “_DECODE_FILES.txt” that contains the requirement for decryption payment. The content of the text file is the following: >> ALL YOUR PERSONAL FILES ARE DECODED <<< Your personal code: [% unique ID%] To decrypt your files, you need to buy special software. Do not try to decode or modify files, it may be broken. To restore data, follow the instructions! You can learn more at this site: https://4ujngbdqqm6t2c53.onion [.] two https://4ujngbdqqm6t2c53.onion [.] cab https://4ujngbdqqm6t2c53.onion [.] Now If a resource is unavailable for a long time to install and use the tor browser. After you start the Tor browser you need to open this link http://4ujngbdqqm6t2c53[.]onion The relevant TOR link moves the victim to a payment gateway, which charges 0.11943 bitcoins corresponding to about $218. 
Uiwix poses an even bigger threat than WannaCry ransomware because it does not include a kill switch domain which can contain its distribution. With no dial back option to block, the only way of protecting against it at the moment is to patch the affected operating systems (list in yesterday’s alert). Since the analysis is ongoing, we will add details about IoCs, C&Cs, the number of infections and affected countries shortly.
Later edit [May 16, 2017, 12 AM EST]:
For the moment, we will not be adding further technical details to this article. Our researchers (as well as others) have spotted the Uiwix sample in the wild and, as a consequence, we felt the responsible thing to do is to alert users that this strain is in circulation, so they can take preemptive measures, like we advised in this guide. Our efforts to obtain and fully analyze a sample after an attack have not been successful. Should anything change, we will properly update this alert to correspond the context. The title was also edited (originally called “Security Alert: Uiwix Ransomware Is Here and It Can Be Worse Than Wannacry”). Later edit [May 20, 2017, 9:30 AM EST] A researcher (not affiliated with Heimdal) managed to analyze and submit a Uiwix sample to VirusTotal. The current detection rate is 45/62. What’s more, researchers have already uncovered a WannaCry strain that also doesn’t include the kill switch domain. Also, Europol has also confirmed that the threat is escalating and the number of infections is growing. It has now affected “more than 200,000 victims in 150 countries”.
The reasons behind this ransomware outbreak
This ransomware attack has become so extensive because it abuses various security holes in Windows SMBv1 and SMBv2, which most users have left unpatched, in spite of the critical update released by Microsoft in March 2017.
Source. This protocol operates as an application-layer network protocol and it’s used to provide shared access to files, printers and other devices connected to a local network. For the past 4 months, cyber security researchers, along with US-CERT, have warned that this protocol can expose systems to remote code execution and denial-of-service exploits.
Attackers are easily able to exploit these vulnerabilities in a network if it’s enabled because, even when the system uses SMB v2 or v3, if the attacker can downgrade the communication to SMB v1, he can exploit the system. This is where the man-in-the-middle attack of a Windows SMB v1-enabled system can become an issue, even if it’s not being used.
Source. Applying this patch depends on individual users and sysadmins, but also on hardware infrastructure and costs to upgrade software to the newest versions. This requires concerted efforts from companies as a whole, which is why vulnerabilities such as this one leave backdoors that cyber criminals routinely abuse. However, we’ve never seen it happen at this level before.
Wow! I’ve put a SMB honeypot on the internet and I was infected by Wannacry in less than 3 minutes! pic.twitter.com/fNQxmUeW7G
— Benkow moʞuƎq (@benkow_) May 13, 2017
If you can’t patch your systems, make sure that you disable Windows SMBv1:
#WannaCry #ransomware If you can’t patch, disable SMBv1 – Microsoft support:https://t.co/5hYgOfGzUG pic.twitter.com/dld06sYQDn
— Patrick Coomans (@patrickcoomans) May 13, 2017
Here is a useful link from Microsoft: How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server However, US-CERT advises users and and administrators to also ensure that they are “blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.”
Actionable guide: How to Apply the Windows Update that Patches the EternalBlue SMB Exploit
Another way this attack can happen is when a vulnerable PC connects to a public Wi-fi network and goes directly online and then created a VPN for a corporate network. This could enable the infection to spread even further! So far, the cyber criminals behind the WannaCry spree have made around $26000, but the damage incurred by companies and public organizations goes far beyond the cost of the ransom itself. That is why prevention plays a critical role in our future going forward.
The people behind #WannaCry have collected ransom payments from 117 victims, totalling $30,000 – nothing compared to the damage they made. https://t.co/KeYu12bQ4a
— Mikko Hypponen (@mikko) May 14, 2017
We cannot emphasize enough how important preemptive security measures are, to keep WannaCry, Uiwix and other ransomware strains from self-replicating on your computer or in your networks. Ensure that your endpoints are patched, isolate those computers who aren’t up to date and restrict access to SMB, while also ensuring that you have adequate antimalware and antivirus protection running.
WANNACRY – 3rd Kill-Switch Domain & New Dropper
New WannaCry Dropper :
hxxp://50.87.6.157/ajax/wanacry[.]exe
hxxp://www.neiscoegypt.com/ajax/wanacry[.]exe
New WannaCry KillSwitchDomain :
hxxp://www.ayylmaoTJHSSTasdfasdfasdfasdfasdfasdfasdf[.]com/
looking forward to the virustotal
Do you still stand by this statement?
Uiwix, has begun to spread by exploiting the same vulnerability in Windows SMBv1 and SMBv2
If so – can you share hashes please. Others haven’t identified this.
If this was a mistake – then that’s fine, but please edit your blog to say so.
Any updates on the IOCs?
You have the kill switch wrong. You should NOT block the domain, you should let your computers talk to it. Only then, Wannacry stops.
Hi Michalis! Our post was prior to the domain being registered. We have updated the post to reflect the current situation. We are not blocking the killswitch domain.
Unless my English fails me, I understand your wording is wrong:
“it does not include a kill switch domain which, when blocked, can contain its distribution”
Do you have a link to virustotal.com?
Hi Morten! We’ll update the article shortly to include it.
If you have any infected systems try decrypting the encrypted files using this code ” WNcry@2ol7 “. This code worked fine for one of my friend.
which decryptor u used?