Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Matrix Ransomware Help & Support Topic (readme-matrix.rtf)


  • Please log in to reply
20 replies to this topic

#1 DRC_VietNam

DRC_VietNam

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 AM

Posted 06 March 2017 - 09:29 AM

Dear analyst team:

Here is the images and nofication of ransom but i check the id not found:

Files encrypted with .Matrix.

https://drive.google.com/drive/folders/0B-tNtO2H-yL0azl6bjdyV3J6QlU?usp=sharing

Thanks


Edited by DRC_VietNam, 06 March 2017 - 09:33 AM.


BC AdBot (Login to Remove)

 


m

#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:06 AM

Posted 06 March 2017 - 10:52 AM

Hi,

 

Do you have the executable which caused this?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 DRC_VietNam

DRC_VietNam
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 AM

Posted 06 March 2017 - 11:01 AM

My friend was infected when download a file not porn just a origami paper  



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:06 AM

Posted 06 March 2017 - 11:04 AM

My friend was infected when download a file not porn just a origami paper  

Do you still have that? To do anything, we will need the malware file.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 DRC_VietNam

DRC_VietNam
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 AM

Posted 06 March 2017 - 11:15 AM

I did'nt found the sample :( 



#6 DRC_VietNam

DRC_VietNam
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 AM

Posted 06 March 2017 - 11:24 AM

But i have this enviroment of another ransomware not match in id ransom, the clone disk is 63.5gb to forensic: https://drive.google.com/file/d/0B-tNtO2H-yL0VHlNS1NSSjhBVU0/view?usp=sharing

Im try to upload is to large 



#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:06 AM

Posted 06 March 2017 - 03:06 PM

But i have this enviroment of another ransomware not match in id ransom, the clone disk is 63.5gb to forensic: https://drive.google.com/file/d/0B-tNtO2H-yL0VHlNS1NSSjhBVU0/view?usp=sharing

Im try to upload is to large 

We just got a sample of this, and we are looking into this.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#8 Sabila

Sabila

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:06 AM

Posted 14 March 2017 - 08:50 PM

Hello bleeping computer,
 
Over the past 3 weeks, i have been using internet connection continously (almost 24 hours) without a quite good antivirus software. And this morning (7.30 AM GTM+7) I found a suspicious file name readme-matrix.rtf in my word file. rtf type is also hitting jpeg. and pdf type. I really confused about this matter which i never seen this kind of problem before. I came to you for ask any help and would apreciate if you giving several advice. 
 
 
I tried to open readme-matrix.rtf files (word file) and have some message inside. In addition i trying to ask help in https://id-ransomware.malwarehunterteam.com/identify.php?case=e03a92d8e2cbab363771c1657ef89889d20931cc but still under analysis. 
 
This is message from readme-matrix.rtf. Should i send the following codes from those messages to sender ? or something will happen if i don't ? 
 
Аttеntiоn! Аll yоur filеs are еnсryрtеd with RSА-2048 аlgоrithm.
Withоut уоur pеrsоnаl dесrуptiоn kеy dаtа rеcоvеrу is impоssiblе!
Tо gеt yоur uniquе kеy аnd dесrурt thе filеs, Yоu hаvе to sеnd thе fоllоwing cоdе:
ZagbZgfnmMkLLn0z-057E734831F649BD
tо оur е-mаil аddrеss: thematrixhasyou9643@yahoo.com
Thеn Yоu will rеciеvе аll nеcеssаry instruсtiоns.
Hurrу uр! Yоu hаvе оnlу 96 hоurs tо rеcоvеr yоur dаtа! Аftеr this timе yоur uniquе dесrурtiоn kеy will bе dеlеtеd аnd filе dесrурtiоn will bеcоmе imроssiblе!
Аll thе аttеmpts оf dесryptiоn by yоursеlf will rеsult оnly in irrеvосаble lоss оf yоur dаtа.
If yоu still wаnt tо try tо dеcrypt thеm by yоursеlf plеаsе mаkе а bаckup аt first bеcаusе thе dесryptiоn will bеcоmе impоssiblе in cаsе оf аny chаngеs insidе thе filеs.
If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаil fоr mоrе then 24 hours (аnd оnly in this cаsе!), usе thе rеsеrvе е-mаil аddrеss:
cremreihanob1979@yandex.ru

Edit: Moved topic from Virus, Trojan, Spyware, and Malware Removal Logs to the more appropriate forum. ~ Animal
 
 
 
 
 
 
 
.

Attached Files



#9 al1963

al1963

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 14 March 2017 - 09:52 PM

Matrix ransomware using GnuPG for encrypting files.

 

https://mobile.twitter.com/rommeljoven17/status/804251901529231360



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,942 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:06 PM

Posted 15 March 2017 - 05:36 AM


Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Adeeelnv

Adeeelnv

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 15 March 2017 - 09:16 PM

I have a customer (Im a computer technician) who just got this same ransomware, even the email addresses are the same.

I made a new email address and sent the code just to see what happens.



#12 Adeeelnv

Adeeelnv

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 16 March 2017 - 12:29 AM

I got an email back

 

 
We encrypt you files with strong RSA-2048 algoritm
You need key for decrypt
The cost of decryptor is 300$ today and 500 later
After 96 hours your key will be auto-deleted so hurry up!!
 
I wont be paying. I just wanted to see what they would say


#13 Sabila

Sabila

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:06 AM

Posted 16 March 2017 - 04:42 AM

Yes, they've said same to me. they say "strong RSA-2048 algoritm", is it possible to take my file back over 96 hour? 



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,942 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:06 PM

Posted 16 March 2017 - 05:32 AM

Most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. One of the reasons that folks get infected is because someone before them paid the bad guys to decrypt their data. The more people that pay the ransom, the more cyber-criminals are encouraged to keep creating ransomware for financial gain. Further, there is no guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

Some ransomware victims have reported they paid the ransom and were successful in decrypting their data. Some victims reported they paid the ransom but the cyber-criminals did not provide a decryptor or a key to decrypt the files, while others reported the key and decryption software they received did not work or resulted in errors. Still others have reported paying the ransom only to discover the criminals wanted more money or threatened to expose data unless additional payment was made. Most cyber-criminals provide instructions in the ransom note that allow their victims to submit one or two limited size files for free decryption as proof they can decrypt the files. However, decryption in bulk may not always work properly or work at all. In some cases victims may actually be dealing with scam ransomware where the malware writers have no intention or capability of decrypting files after the ransom is paid.

Keep all this in mind if you are considering paying the ransom since there is never a guarantee decryption will be successful or that the decrypter provided by the cyber-criminals will work as they claim...and using a faulty or incorrect decryptor may damage or corrupt the files even further. The criminals may even send you something containing more malware...so why should you trust anything provided by those who infected you in the first place.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 matthew9871

matthew9871

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 18 March 2017 - 11:01 PM

Hello,

 

I just been infected with .matrix extension ransomware. I need immediate help. I see this is new strain and no decryption is available yet. How do I stop it from spreading I need to save my current files that are not encrypted yet. Do I boot i safe mode and use USB stick to transfer files that arent infected ? Someone must have copies infected file to server's drive ( windows storage server 2012). Please advise.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users