Malwarebytes security researcher Jérôme Segura discovered that Matrix Ransomware is now being distributed through the RIG exploit kit on sites that are displaying malvertisements.

The Matrix Ransomware was first released at the end of 2016 and we covered it back in April 2017. Since then the ransomware had slowly decreased until only few appearances here and there. Therefore, it was a surprise to find out this that ransomware was being distributed again, let alone in exploit kit campaigns.

According to Segura, the Matrix Ransomware is being installed through exploit kits on sites displaying malvertising, which target vulnerabilities in Internet Explorer (CVE-2016-0189) and Flash (CVE-2015-8651). Both of these vulnerabilities rely on visitors using unpatched and outdated versions of Internet Explorer and Flash Player.

To become infected, a visitor simply needs to visit a site that contains malvertisements using a vulnerable computer and they will become infected with the ransomware. This is why it is so important that everyone regularly install all available security updates for their installed programs and operating system.

Once infected, the current version of Matrix Ransomware will encrypt the files on the computer, scramble their file names, and append the .pyongyan001@yahoo.com extension to the file's scrambled name. You can see an example of an encrypted folder below.

Folder Encrypted by the Matrix Ransomware
Folder Encrypted by the Matrix Ransomware

During this process, the ransomware will also drop ransom notes named #_#WhatWrongWithMyFiles#_#.rtf in folders that files were encrypted. Finally, it will display a ransom screen that provides information on what has happened to the files.

Ransom Screen
Matrix Ransom Screen

How to protect yourself from the Matrix Ransomware

To protect yourself from this threat, you should first make sure all of your Windows security updates and program updates are installed. This will prevent the exploit kits from installing Matrix Ransomware on your computer.

It is also important to use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

You should also have security software that contains behavioral detections such as Malwarebytes or Emsisoft Anti-Malware. If you are using Windows 10 with the Fall Creators Update installed, you can also use their Controlled Folder Access feature to protect important documents from being encrypted.

Last, but not least, make sure you practice the following good online security habits, which in many cases are the most important steps of all:

  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed.
  • Use hard passwords and never reuse the same password at multiple sites.

For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.


Update 10/27/17: We original stated that the exploit kit was through hacked sites, but was actually through malvertising.