UIWIX was identified a few days after the WannaCry ransomware outbreak that impacted countries and sectors across the globe. Trend Micro obtained a sample and determined that UIWIX uses the same EternalBlue exploit that WannaCry used against the Microsoft Windows Server Message Block (SMB) vulnerability for which Microsoft issued a patch on March 14, 2017. However, there were a number of stark differences between the two variants - the main difference being that UIWIX appears to be fileless malware. UIWIX executes in memory and does not write actual files or components to the infected system's drives, making detection more difficult. It also arrives as a DLL file rather than an executable. If it detects the presence of a virtual machine (VM) or sandbox, UIWIX will terminate itself to evade detection and analysis. It will also terminate itself if it has detected that the system it has infected is located in Russia, Kazakhstan, or Belarus. Unlike WannaCry, UIWIX does not contain any features that allow it to maintain persistence on a machine and cannot propagate itself. It also does not contain a "kill switch" within its code. UIWIX appends _[uniqueID].UIWIX to the names of encrypted files, drops a ransom note named _DECODE_FILES.txt, and demands a ransom payment amount of $200 in Bitcoin. It also uses a unique Bitcoin wallet for each victim.
- Trend Micro provides more information about UIWIX, including IoCs, here.
- Heimdal Security also provides information about UIWIX here.
- The NJCCIC is not currently aware of any publicly available decryption tool for UIWIX.
- Fore more information about fileless malware, please see the NJCCIC Threat Analysis product, Fileless: Evasive Intrusion Tactics Pose Challenge for Network Defense