MENU

 

The following information was obtained from the different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).

The information provided was classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

Uiwix is another variant of ransomware exploiting the same Windows vulnerability as the WannaCry in (Server Message Block) SMBv1 and SMBv2 Protocol which is a file sharing protocol that allows operating systems and applications to read and write data to a system. It also allows a system to request services from a server. This protocol operates as an application-layer network protocol and it is used to provide shared access to files, printers and other devices connected to a local area network.

Uiwix strain does not include a kill switch domain which is instrumental in shutting down the spread while retaining its self-replicating abilities. It aims to exploit the vulnerability and infect as many devices as possible until the necessary patch is applied. It works in the same way as other ransomware variants. As the encryption starts, it adds the .uiwix extension to all the infected files and drop a text file called “_decode_files.txt” that contains the requirement for decryption payment.

Uiwix poses a bigger threat than WannaCry ransomware for it does not include switch domains which contain its distribution. With no dial back option to block, the only way to protect oneself against it is to patch the affected operating systems.

Uiwix uses different Bitcoin address for each victim it infects. It the victim accesses the (Uniform Resource Locator) URLs in the ransom note, it will ask for a “personal code” which is also included in the ransom note and prompt the user to sign up for a Bitcoin wallet.


RECOMMENDATION

PNP personnel and the public are advised to follow the best practices listed below to prevent cross-site scripting vulnerability:

• Always patch and update your operating system as well as your anti-virus and anti-malware software;
• Ensure that anti-virus solutions are set to automatically conduct scanning;
• If you cannot patch your systems, make sure that you disable Windows SMBv1 and SMBv2;
• Ensure that endpoints are patched, isolate those computers who are not up to date and restrict access to SMB;
• Enable your firewalls as well as intrusion detection and prevention systems;
• Proactively monitor and validate traffic going in and out of the network;
• Implement security mechanisms for other points of entry attackers can use, such as email and websites;
• Deploy application control to prevent suspicious files from executing on top behavior monitoring that can thwart unwanted modifications to the system; and
• Employ data categorization and network segmentation to mitigate further exposure and damage to data.

For additional information, please refer to the following websites:

https://www.bleepingcomputer.com/news/security/uiwix-ransomware-using-
eternalblue-smb-exploit-to-infect-victims/
https://www.theregister.co.uk/2017/05/17/uiwix_ransomware_damp_squib/
http://blog.trendmicro.com/trendlabs-security-intelligence/wannacry-uiwix-ransomware-monero-mining-malware-follow-suit/

POINT OF CONTACT

Please contact CSRAD, PNP ACG for any inquiries related to this CYBER SECURITY BULLETIN at This email address is being protected from spambots. You need JavaScript enabled to view it. or call 7230401 local 5337.