A ransomware variant, dubbed Uiwix, that abuses the same vulnerability as WannaCrypt has turned out to be something of a damp squib.
Uiwix omits the kill switch domain that was instrumental in shutting down the spread of WannaCrypt while retaining its self-replicating abilities, Danish security firm Heimdal Security warned on Sunday.
Heimdal Security initially claimed the worm could be bigger than WannaCrypt, an assertion criticised by security researchers as over the top. It turns out there has only ever been one confirmed sighting of Uiwix in the wild.
Subsequent analysis by security researchers suggests that the malware is a hand-cranked nasty incapable of spreading and without wormable functionality, contrary to our initial report on Monday.
Security researcher Kevin Beaumont told El Reg: "[I] saw a box infected via SMB. It had no forward spread. Probably manual exploit. Only one sample, looked well overblown."
In response to queries from El Reg, Heimdal Security said: "We can corroborate that Uiwix uses SMB to spread, but without the worm. We only spotted it in the wild once, which is why we're trying to gather more data to evaluate its capabilities and potential impact."
Beaumont disputed even this assessment: "This one is being hyped. I looked at it - not an SMB worm. Somebody is running the exploit manually and infecting internet-connected systems."
Another researcher, who uses the Twitter handle "benkow_", and was cited in Heimdal's initial advisory, also said the malware wasn't capable of spreading as a worm, disputing Heimdal's initial rating of its potential seriousness.
No samples of the nasty been shared among security researchers, much to the frustration of some. "Hash or it didn't happen. Been searching for a sample for weeks. You can't claim it's SMB exploiting without a sample," said self-styled ransomware hunter Michael Gillespie.
Heimdal Security has downgraded its warning. Its alert is now entitled the "Uiwix Ransomware Spotted in the Wild, Could Add to WannaCry Damage" compared to "Uiwix Ransomware Is Here And It Can Be Worse Than WannaCry".
The Danish security firm's security evangelist Andra Zaharia explained its thinking. "Our researchers have spotted the Uiwix sample in the wild and, as a consequence, we felt the responsible thing to do is to alert users that this strain is in circulation, so they can take preemptive measures," Zaharia told El Reg. "Our efforts to obtain and fully analyze a sample after an attack have not been successful." ®