Malwarebytes security researcher Jérôme Segura discovered that Matrix Ransomware is now being distributed through the RIG exploit kit on sites that are displaying malvertisements.
The Matrix Ransomware was first released at the end of 2016 and we covered it back in April 2017. Since then the ransomware had slowly decreased until only few appearances here and there. Therefore, it was a surprise to find out this that ransomware was being distributed again, let alone in exploit kit campaigns.
According to Segura, the Matrix Ransomware is being installed through exploit kits on sites displaying malvertising, which target vulnerabilities in Internet Explorer (CVE-2016-0189) and Flash (CVE-2015-8651). Both of these vulnerabilities rely on visitors using unpatched and outdated versions of Internet Explorer and Flash Player.
To become infected, a visitor simply needs to visit a site that contains malvertisements using a vulnerable computer and they will become infected with the ransomware. This is why it is so important that everyone regularly install all available security updates for their installed programs and operating system.
Once infected, the current version of Matrix Ransomware will encrypt the files on the computer, scramble their file names, and append the .firstname.lastname@example.org extension to the file's scrambled name. You can see an example of an encrypted folder below.
During this process, the ransomware will also drop ransom notes named #_#WhatWrongWithMyFiles#_#.rtf in folders that files were encrypted. Finally, it will display a ransom screen that provides information on what has happened to the files.
To protect yourself from this threat, you should first make sure all of your Windows security updates and program updates are installed. This will prevent the exploit kits from installing Matrix Ransomware on your computer.
It is also important to use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.
You should also have security software that contains behavioral detections such as Malwarebytes or Emsisoft Anti-Malware. If you are using Windows 10 with the Fall Creators Update installed, you can also use their Controlled Folder Access feature to protect important documents from being encrypted.
Last, but not least, make sure you practice the following good online security habits, which in many cases are the most important steps of all:
For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.
Update 10/27/17: We original stated that the exploit kit was through hacked sites, but was actually through malvertising.