UIWIX Ransomware

By now we are aware of what happened on May 12, 2017 a new variant of the Ransom.CryptXXX family (Detected as Ransom.Wannacry) of ransomware began spreading widely impacting a large number of organizations, particularly in Europe.

 

Just within a weeks time that is on May 17, 2017 another Ransomware namely: UIWIX is out to disrupt the market.

 

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It connects to certain websites to send and receive information.

Figure 1 Ransom demand screen displayed by UIWIX Trojan
Figure 1 Ransom demand screen displayed by UIWIX Trojan 

This Ransomware avoids encrypting files with the following strings in their file name:

  • .com; .sys; boot.ini; Bootfont.bin; bootmgr; BOOTNXT; BOOTSECT.BAK; NTEDETECT.COM; ntldr; NTUSER.DAT; PDOXUSRS.NET
  • \Windows; \Program Files

It avoids encrypting files on machines that have a locale set to Russia, Kazakhstan, or Belarus.

Microsoft solution:

Run antivirus or antimalware software. Use the following free Microsoft software to detect and remove this threat:·         Windows Defender Antivirus  for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista

You should also run a full scan. A full scan might find hidden malware.

Advanced troubleshooting: To restore your PC, you might need to download and run Windows Defender Offline. See Microsoft’s advanced troubleshooting page for more help.

 

Threat Behavior:

This ransomware can arrive on a machine by leveraging the following vulnerability:

Figure 2 UIWIX Email
Figure 2 UIWIX Email

Installation

The malware creates the following named mutex:

  • hfdXrXzQBcKLlsrZ

The malware will not run if a debugger is present, or if any of the following virtualized or sandboxed environments are found:

  • Avast; Comodo; Cuckoo; Sandboxie; Sunblet Sandbox; VirtualBox; VirtualPC; VMWare; WpePro

Payload

Attempts to encrypt files

The ransomware attempts to encrypt all the files on the machine, except for the following:

  • Files that are in the following folders:
    • <DRIVE_LETTER>:\Windows
    • <DRIVE_LETTER>:\Program Files
  • Files with file names that contain any of the following strings:
    • .com; .sys; boot.ini; Bootfont.bin; Bootmgr; BOOTNXT; BOOTSECT.BAK; NTDETECT.COM; Ntldr; NTUSER.DAT; PDOXUSRS.NET

It avoids encrypting files on machines that have a locale set to Russia, Kazakhstan, or Belarus.

Once encryption is carried out, the malware appends a unique identifier to the encrypted file, along with the “.UIWIX” extension.

For example, if a file named picture.jpg is encrypted, its resulting name will be picture.jpg._<identifier string>.UIWIX.

Demands ransom

A text file containing the ransom note, named _DECODE_FILES.txt, is also dropped in the malware’s current directory. The ransom note contains the following text:

    >>> ALL YOUR PERSONAL FILES ARE DECODED <<<

    Your personal code: <identifier>

    To decrypt your files, you need to buy special software. 
     Do notattempt to decode or modify files, it may be broken. 
     To restore data, follow the instructions!

    You can learnmore at this site: 
     <TOR link>
     <TOR link>
     <TOR link>

    If a resource is unavailable for a long time to install and use the tor browser. 
     After you start the Tor browser you need to open this link <TOR link>

Steals credentials

The malware can steal credentials and other information from the following browsers:

  • Chrome; Comodo Dragon; Microsoft Edge; Firefox; Internet Explorer; Opera; Safari; Yandex

It can also steal credentials from the following applications:

  • FileZilla; Jabber; Miranda; Outlook; Rdp; SmartFtp; Thunderbird; Windows Live

Attempts to connect to URLs

The malware may try to contact the following URLs:

  • http://<random characters>.onion/gt34987.php
  • https://netcologne.dl.sourceforge.net/project/cyqlite/3.8.5/sqlite-dll-win32-x86-3080500.zip
  • http://sqlite.org/2014/sqlite-dll-win32-x86-3080500.zip

References

Author: admin

Raghavendra Rao PV has more than 11years of experience in Information Technology. He started his career as a software developer at Accenture in the year 2006 and then moved to Information Security. Prior to starting SecureFirst Solutions Private Limited, he worked with Organizations namely; Accenture Services Private Limited, TATA Consulting Services, Dell International Services. He is a Certified Ethical Hacker (CEH) and IBM Rational AppScan Certified.

Leave a Reply