UIWIX Ransomware

By now we are aware of what happened on May 12, 2017 a new variant of the Ransom.CryptXXX family (Detected as Ransom.Wannacry) of ransomware began spreading widely impacting a large number of organizations, particularly in Europe.


Just within a weeks time that is on May 17, 2017 another Ransomware namely: UIWIX is out to disrupt the market.


This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It connects to certain websites to send and receive information.

Figure 1 Ransom demand screen displayed by UIWIX Trojan
Figure 1 Ransom demand screen displayed by UIWIX Trojan 

This Ransomware avoids encrypting files with the following strings in their file name:

  • .com; .sys; boot.ini; Bootfont.bin; bootmgr; BOOTNXT; BOOTSECT.BAK; NTEDETECT.COM; ntldr; NTUSER.DAT; PDOXUSRS.NET
  • \Windows; \Program Files

It avoids encrypting files on machines that have a locale set to Russia, Kazakhstan, or Belarus.

Microsoft solution:

Run antivirus or antimalware software. Use the following free Microsoft software to detect and remove this threat:·         Windows Defender Antivirus  for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista

You should also run a full scan. A full scan might find hidden malware.

Advanced troubleshooting: To restore your PC, you might need to download and run Windows Defender Offline. See Microsoft’s advanced troubleshooting page for more help.


Threat Behavior:

This ransomware can arrive on a machine by leveraging the following vulnerability:

Figure 2 UIWIX Email
Figure 2 UIWIX Email


The malware creates the following named mutex:

  • hfdXrXzQBcKLlsrZ

The malware will not run if a debugger is present, or if any of the following virtualized or sandboxed environments are found:

  • Avast; Comodo; Cuckoo; Sandboxie; Sunblet Sandbox; VirtualBox; VirtualPC; VMWare; WpePro


Attempts to encrypt files

The ransomware attempts to encrypt all the files on the machine, except for the following:

  • Files that are in the following folders:
    • <DRIVE_LETTER>:\Windows
    • <DRIVE_LETTER>:\Program Files
  • Files with file names that contain any of the following strings:
    • .com; .sys; boot.ini; Bootfont.bin; Bootmgr; BOOTNXT; BOOTSECT.BAK; NTDETECT.COM; Ntldr; NTUSER.DAT; PDOXUSRS.NET

It avoids encrypting files on machines that have a locale set to Russia, Kazakhstan, or Belarus.

Once encryption is carried out, the malware appends a unique identifier to the encrypted file, along with the “.UIWIX” extension.

For example, if a file named picture.jpg is encrypted, its resulting name will be picture.jpg._<identifier string>.UIWIX.

Demands ransom

A text file containing the ransom note, named _DECODE_FILES.txt, is also dropped in the malware’s current directory. The ransom note contains the following text:


    Your personal code: <identifier>

    To decrypt your files, you need to buy special software. 
     Do notattempt to decode or modify files, it may be broken. 
     To restore data, follow the instructions!

    You can learnmore at this site: 
     <TOR link>
     <TOR link>
     <TOR link>

    If a resource is unavailable for a long time to install and use the tor browser. 
     After you start the Tor browser you need to open this link <TOR link>

Steals credentials

The malware can steal credentials and other information from the following browsers:

  • Chrome; Comodo Dragon; Microsoft Edge; Firefox; Internet Explorer; Opera; Safari; Yandex

It can also steal credentials from the following applications:

  • FileZilla; Jabber; Miranda; Outlook; Rdp; SmartFtp; Thunderbird; Windows Live

Attempts to connect to URLs

The malware may try to contact the following URLs:

  • http://<random characters>.onion/gt34987.php
  • https://netcologne.dl.sourceforge.net/project/cyqlite/3.8.5/sqlite-dll-win32-x86-3080500.zip
  • http://sqlite.org/2014/sqlite-dll-win32-x86-3080500.zip


Leave a Reply