Remove UIWIX Ransomware – Restore .UIWIX Files (Update May 2017)

This article has a goal to show you how to remove the new UIWIX ransomware outbreak and restore your files in the event that they have been encrypted with .UIWIX extension.

The initially spotted in the beginning of May 2017 UIWIX ransomware infection has been reported to continue to be massively spread and take advantage of new exploits. And not just any exploits – the same exploits which are used by WannaCry ransomware. The virus may also begin to infect automatically, similar to WannaCry and users are warned to be extremely careful when it comes to this infection as well. In case your computer has been infected by the UIWIX infection, recommendations are to remove it and restore any files encrypted by it by reading the following material.

Threat Summary

Name

.UIWIX Ransomware

TypeRansomware
Short DescriptionEncrypts important files on the computers it infects and then demands 0.12 BTC ransom payoff to decrypt them.

SymptomsUses the .UIWIX file extension which it adds to the encrypted files. Then demands victims to pay a ransom in a ransom note, named _DECODE_FILES.txt
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by .UIWIX Ransomware

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss .UIWIX Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.UIWIX Ransomware – How Does It Infect

The infection process of this ransomware virus is comprised by a mix of different tools to conduct the infection:

  • Exploits for all the SMB versions, used by WannaCry ransomware.
  • Malcious macros.
  • Infection software (Droppers, Loaders).
  • Malicious spamming software.
  • Worms or Botnet infections.
  • A pre-configured list of e-mail addresses that are spammed.

This may result in the sending of multiple different types of spammed e-mails. These spammed e-mails may include various different malicious files uploaded as e-mail attachments. The files are presented as legitimate documents in convincing messages, like the one in the example below:

Some e-mails may even contain embedded malicious macros which may pretend to allow the user to view their content after the macros have been enabled, which causes the infection:

Other methods of spreading the .UIWIX file virus may be via more sophisticated malware such as botnet infections, Trojans that have previously infected a system as well as worm infections that spread automatically from a computer to computer.

.UIWIX File Ransomware – Malicious Activity

As soon as the inevitable has happened, the loader of UIWIX ransomware drops the malicious files of the virus in various Windows folders, under different names, for example:

After the files are dropped, UIWIX ransomware obtains administrative permissions over the victim’s computer.As soon as these are obtained the virus may focus on deleting:

  • System Restore Points.
  • Windows shadow copies.

This is achievable by executing the bcedit and vssadmin commands with elevated privilege in Windows command prompt:

After this has been conducted, the ransomware may also heavily modify the Windows Registry Editor and target the Run and RunOnce registry keys, that have the following locations:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

In those keys, the UIWIX ransomware virus may create multiple different values with custom data within them that have random names.

In addition to having dropped the malicious files on the compromised computer, UIWIX ransomware also drops the ransom note In a text file, named _DECODE_FILES.txt. It has the following content:

>>> ALL YOUR PERSONAL FILES ARE DECODED <<< Your personal code: {uniqueID} To decrypt your files, you need to buy special software. Do not attempt to decode or modify files, it may be broken. To restore data, follow the instructions! You can learn more at this site: {TOR-based web page} If a resource is unavailable for a long time to install and use the tor browser. After you start the Tor browser you need to open this link {TOR URL}

The virus also redirects to a custom TOR-based web page, where after entering human verification CAPTCHA, the victim is led to the following screen:

The Encryption of UIWIX

When it comes to encrypting files, UIWIX ransomware does not mess about. The virus looks for important files and is very careful to skip system folders, like:

  • %Windows%
  • %AppData%
  • %System32%
  • %Local%
  • %LocalLow%
  • %Roaming%

Other than that, the following file types may be encrypted if your computer was infected by UIWIX ransomware:

  • Audio files.
  • Image file types.
  • Archives.
  • Virtual drive files.
  • Documents.
  • System image files.
  • Multiple video file types.

After UIWIX attacks your computer, the virus replaces blocks of data from the original files with encrypted data and then generates a unique decryption key which corresponds to that data. This key can only be obtain if the ransom of approximately 0.12 BTC is paid which is NOT ADVISABLE. After encryption, the files may appear like the following:

Remove UIWIX Ransomware and Restore .UIWIX Encrypted Files

For the removal of UIWIX ransomware, we strongly advise you to follow the removal instructions below. They are specifically designed to remove the ransomware either manually or automatically. Malware researchers strongly recommend using an anti-malware program for the removal, since it will be complete and future protection is also ensure. Note that you can only install anti-malware program while not in Safe Mode, but you can later boot into Safe Mode for the removal process.

If you wish to restore your files in the event that they have been encrypted with an added .UIWIX file extension, you can now try the alternative methods in step “2. Restore files encrypted by .UIWIX Ransomware” below. They are specifically designed to help restore at least some of the data encrypted by this virus, but make sure to create copies of your files before using them.

Manually delete .UIWIX Ransomware from your computer

Note! Substantial notification about the .UIWIX Ransomware threat: Manual removal of .UIWIX Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove .UIWIX Ransomware files and objects
2.Find malicious files created by .UIWIX Ransomware on your PC

Automatically remove .UIWIX Ransomware by downloading an advanced anti-malware program

1. Remove .UIWIX Ransomware with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by .UIWIX Ransomware
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.