Chinese government authorities have warned against a new ransomware named “Uiwix”, which is tested in the wild. This new ransomware is lethal in its execution and spread. This virus spreads through the memory based services that run between networks of computers.
The sudden havoc created by WannaCry and Uiwix ransomware has left people dumbstruck. The ransomware is meant to infect a whole network of a computer through the unidentifiable root.
Just like WannaCry, Uiwix also encrypts your files and folder and make them inaccessible until you pay the ransom. This ransomware spreads through a local-area network, i.e. even if your computer is not connected to the internet, it could be infected and compromised. The core reason why your anti-virus or other security updates are ineffective against this attack is its execution.
Modus Operandi of Uiwix
Uiwix is spread through Server Message Block (SMB), which is a file transferring and identifying service of Microsoft Windows. Through SMB a network identifies a packet of information by their name and lets it process the information on your system. It could be any file, like an internal communication chat system, or a file transferring service that is marked safe for the use by the system (default).
It is a file less, memory based execution that cannot be checked before it has infected your computer. It is undetectable and untraceable; you cannot find its source and origin by normal security lookups.
Unlike WannaCry, Uiwix uses different bitcoin addresses for ransom. It evolves and executes based on your user data stored in the memory of your computer. Since it has no physical evidence, it is almost impossible for security updates to find its root and decrypt your files. That means each infected system needs a separate key to decrypt their files, and there is no universal solution for all.
The only viable solution is to keep a backup of your important files on a cloud-based system or a hard drive. Since Uiwix ransomware doesn’t execute on virtual machines or sandbox (VMware, VirtualBox, Virtual PC, Sandboxie, Cuckoo etc.), your data will remain safe on such systems as the DLL will not execute on such systems.
Although Uiwix gathers all the data from your surfing habits to your passwords and messenger chats, it is advisable to change the passwords on an android based phone or an iOS as these cannot be infected by the virus.
Uiwix ransomware is fairly new and a little information is available about its execution. There are some sites that urge users to install TOR browser and go through the sites on Onion to gather more information about the attack. It seems counterintuitive as the access to TOR may leave your system vulnerable to such threats.
User discretion is advised before blindly following any instruction on such websites. In order to keep your system safe from such vulnerabilities, follow these three steps:
- Update all your system files, run the patches provided by Microsoft.
- Ironclad firewall. Check your firewall settings and restore them to the strongest security module.
- Avoid opening emails from unknown senders, do not open or download the attachment from such emails. If you have to, use a virtual server or machine to keep your system safe.
Periodically, scan your system files for Trojan and other malware. A Trojan named Adylkuzz is also found on the systems, to mine cryptocurrency from the system of the user in a stealth mode. So beware of next Ransomware attack!
About the Author
This article was written by Sejal Parmar. Sejar is a security researcher and a ghost writer at http://ransomwares.net/. She mostly covers all the issues and solution related to Ransomware.