Uiwix Ransomware Follows WannaCry's SMB-Targeting Lead

Life after WannaCry: Already, other cybercrime gangs appear to be jumping on the Windows server message block targeting bandwagon, including the operators behind Uiwix ransomware.

Thankfully, however, unlike the SMB-targeting WannaCry ransomware worm that took the world by storm beginning May 12, Uiwix poses very little threat, security researchers report.

While some early reports suggested that Uiwix was also spreading as a worm to automatically infect endpoints, those reports have now been dismissed by British security researcher Kevin Beaumont, who recently found a sample in the wild via a honeypot.

Instead, whoever is behind Uiwix appears to be manually scanning for systems that have the SMB flaw, then targeting them in an attempt to exploit the flaw and install the ransomware. According to a Shodan search, there are nearly 400,00 such systems - if not more - accessible via the internet.

Nasty SMB Flaw

Brief recap: A patch for the SMB flaw was released in March by Microsoft via its MS17-010 security updates of its supported systems, as well as May 12 for Windows XP, 2003 and 8.

A related attack tool built by the Equation Group - likely the National Security Agency - designed to exploit the SMB flaw was released April 14 by the Shadow Brokers, and called EternalBlue. The WannaCry outbreak targeted EternalBlue, as well as an Equation Group backdoor called DoublePulsar that was then installed on some infected endpoints, to spread (see Teardown: WannaCry Ransomware).

Since the attack tools were dumped, the number of endpoints infected with just the DoublePulsar backdoor software - not just by the Equation Group, but also enterprising attackers - apparently has reached more than 400,000.

Uiwix Goes Fileless

Unlike WannaCry, Uiwix appears to be fileless malware, security firm Trend Micro says in a blog post. "Uiwix is executed in memory after exploiting EternalBlue," it says. "Fileless infections don't entail writing actual files/components to the computer's disks, which greatly reduces its footprint and in turn makes detection trickier."

The ransomware is also designed to operate more cautiously than WannaCry. "Uiwix is also stealthier, opting to terminate itself if it detects the presence of a virtual machine (VM) or sandbox," Trend Micro says. "Based on UIWIX's code strings, it appears to have routines capable of gathering the infected system's browser login, File Transfer Protocol (FTP), email, and messenger credentials."

Target: EternalBlue

WannaCry and Uiwix aren't the only pieces of malicious code that have been found in the wild targeting the MS17-10 - EternalBlue - vulnerability.

Security researchers report that cryptocurrency-mining malware called Adylkuzz also began exploiting the SMB flaw, apparently in late April - before WannaCry - to mine for virtual currency called monero. And there are signs that North Korea may be tied to both the WannaCry and Adylkuzz campaigns, although that has not been proven (see Is WannaCry the First Nation-State Ransomware?).

As with Uiwix, however, this Adylkuzz campaign - designed to install a cryptocurrency miner called cpuminer - poses little risk, security firm Symantec says in a blog post.

"Due to the effectiveness of [intrusion prevention systems] in proactively blocking infections, Symantec is observing low infections of Adylkuzz," the security firm reports.

Out of more than 44 million attempts to exploit the MS17-10 flaw against systems running Symantec software, fewer than 200 endpoints have been infected by Adylkuzz, the company says.

Lock It Down

The takeaway: Don't obsess over ransomware gangs attempting to jump on the WannaCry bandwagon. Instead, "focus on patching," Beaumont says via Twitter.

That's also the top recommendation from the U.S. Computer Emergency Response Team, part of the Department of Homeland Security, which has issued guidance for blocking WannaCry, or any other malicious code that targets the SMB flaw.

Check every Windows system in the enterprise to ensure that it isn't using SMBv1, which is enabled by default, even in Windows 10 and Windows Server 2016.

While the EternalBlue exploit - which dates from 2013 - didn't exploit the latest Windows operating systems, a security researcher has now ported EternalBlue so it will work on any 64-bit Windows 8 and Windows Server 2012 systems that have SMB enabled and not blocked by a firewall.

Of course, it's likely that whoever built EternalBlue - believed to the NSA - and anyone else who may have independently discovered the flaw and also been using it had already updated their attack tools to do the same.

So if you haven't started already, get patching.