First posted on 19 May 2017.
There are no other names known for Ransom:Win32/Uiwix.A!rsm.
This ransomware can arrive on a machine by leveraging the following vulnerability:
- Microsoft Windows SMB Server (MS17-010) Vulnerability
The malware creates the following named mutex:
The malware will not run if a debugger is present, or if any of the following virtualized or sandboxed environments are found:
- Sunblet Sandbox
Attempts to encrypt files
The ransomware attempts to encrypt all the files on the machine, except for the following:
- Files that are in the following folders:
- Files with file names that contain any of the following strings:
It avoids encrypting files on machines that have a locale set to Russia, Kazakhstan, or Belarus.
Once encryption is carried out, the malware appends a unique identifier to the encrypted file, along with the ".UIWIX" extension.
For example, if a file named picture.jpg is encrypted, its resulting name will be picture.jpg._.UIWIX.
A text file containing the ransom note, named _DECODE_FILES.txt, is also dropped in the malware's current directory. The ransom note contains the following text:
>>> ALL YOUR PERSONAL FILES ARE DECODED <<< Your personal code: To decrypt your files, you need to buy special software.
Do notattempt to decode or modify files, it may be broken.
To restore data, follow the instructions! You can learnmore at this site:
If a resource is unavailable for a long time to install and use the tor browser.
After you start the Tor browser you need to open this link Steals credentials
The malware can steal credentials and other information from the following browsers:
- Comodo Dragon
- Microsoft Edge
- Internet Explorer
It can also steal credentials from the following applications:
- Windows Live
Attempts to connect to URLs
The malware may try to contact the following URLs:
Analysis by Andrea Lelli
Last update 19 May 2017