Two new Matrix Ransomware variants were discovered this week by MalwareHunterTeam that are being installed through hacked Remote Desktop services. While both of these variants encrypt your computer's files, one is a bit more advanced with more debugging messages and the use of cipher to wipe free space.

Based on the debugging messages displayed by the ransomware when it is executed and the various reports in the BleepingComputer forums, this ransomware is currently being distributed to victims by the attackers brute forcing the passwords of Remote Desktop services connected directly to the Internet. Once the attackers gain access to a computer, they upload the installer and execute it.

Two different variants being distributed

Currently there are two different Matrix variants being distributed at this time. Both variants are being installed over hacked RDP, encrypt unmapped network shares, display status windows while encrypting, clear shadow volume copies, and encrypt the filenames. There are, though, some slight differences between the two variants, with the second one ([RestorFile@tutanota.com]) being a bit more advanced.

These differences are described below.

Variant 1:[Files4463@tuta.io]

This variant, which is identified by the [Files4463@tuta.io] extension, is the less advanced one.. When this variant is running it will open both of the following windows at the same time to show the status of the infection. One window is for status messages regarding the encryption and the other is for information regarding network share scanning.

Encrypting Screen
Encrypting Screen
Network Scanning Screen
Network Scanning Screen

When files are encrypted,  it will encrypt the filename and then append the [RestorFile@tutanota.com] extension to it. For example, test.jpg would be encrypted and renamed to something lie 0ytN5eEX-RKllfjug.[Files4463@tuta.io].

Folder of Encrypted Files
Folder of Encrypted Files

This variant will also drop ransom note named !ReadMe_To_Decrypt_Files!.rtf in each folder that is scanned. This ransom note contains the Files4463@tuta.io, Files4463@protonmail.ch, and Files4463@gmail.com email addresses that are used to contact the attacker and make a ransom payment. 

Ransom Note
Ransom Note

This variant will also change the desktop background to the following image.

Desktop Background
Desktop Background

Unfortunately, this variant of Matrix Ransomware cannot be decrypted for free.

Variant 2: [RestorFile@tutanota.com]

The second variant is identified by its use of the [RestorFile@tutanota.com] extension.

While this variant operates in a similar fashion as the previous one, it is a bit more advanced as it has better debugging messages and utilizes the cipher command to overwrite all free space on the computer after the encryption is done. Furthermore, this variant utilizes different contact email addresses, a different extension, and a different ransom note name.

When this variant is running it will utilize the following windows that show the status of the infection. Notice that there is greater logging shown in this variant compared to the previous one.

Encrypting Screen
Encrypting Screen
Network Scanning Screen
Network Scanning Screen

When files are encrypted, it will encrypt the filename and then append the [RestorFile@tutanota.com] extension to it. For example, test.jpg would be encrypted and renamed to something lie 0ytN5eEX-RKllfjug.[RestorFile@tutanota.com].

This variant will also drop ransom note named #Decrypt_Files_ReadMe#.rtf in each folder that is scanned. This ransom note contains the RestorFile@tutanota.com, RestoreFile@protonmail.com, and RestoreFile@qq.com email addresses that are used to contact the attacker and make a ransom payment. 

It will also change the desktop background to the following image.

Desktop Background
Desktop Background

After this variant finishes encrypting the computer, it will execute the "cipher.exe /w:c" command in order to overwrite the free space on the C: drive. This is to prevent the victim from using file recovery tools to recover their files. 

Cipher Command

Unfortunately, like the previous variant, this one cannot be decrypted for free.

How to protect yourself from the Matrix Ransomware

In order to protect yourself from ransomware in general, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

As the Matrix Ransomware may be installed via hacked Remote Desktop services, it is very important to make sure its locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.

It is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services.

You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.

Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:

  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
  • Use hard passwords and never reuse the same password at multiple sites.

For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.

Related Articles:

The Week in Ransomware - September 14th 2018 - Kraken, Dharma, & Matrix

The Week in Ransomware - September 7th 2018 - Obama, Matrix, and More

New Fox Ransomware Matrix Variant Tries Its Best to Close All File Handles

Fallout Exploit Kit Pushing the SAVEfiles Ransomware

GandCrab V5 Released With Random Extensions and New HTML Ransom Note

IOCs

Hashes:

Variant 1: a26087bb88d654cd702f945e43d7feebd98cfc50531d2cdc0afa2b0437d25eea
Variant 2: 996ea85f12a17e8267dcc32eae9ad20cff44115182e707153006162711fbe3c9

Associated Files:

#Decrypt_Files_ReadMe#.rtf
!ReadMe_To_Decrypt_Files!.rtf

Ransom Note Text:

WHAT HAPPENED WITH YOUR FILES?
Your documents, databases, backups, network folders and other important files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
http://en.wikipedia.org/wiki/RSA_(cryptosystem)
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
It mеаns thаt yоu will nоt bе аblе tо аccеss thеm аnуmоrе until thеу аrе dесrуptеd with yоur pеrsоnаl dесrуptiоn kеy! Withоut уоur pеrsоnаl kеy аnd sреciаl sоftwаrе dаtа rеcоvеrу is impоssiblе! If yоu will fоllоw оur instruсtiоns, wе guаrаntее thаt yоu cаn dесryрt аll yоur filеs quiсkly аnd sаfеly!
If yоu wаnt tо rеstоrе yоur filеs, plеаsе writе us tо thе е-mаils:
Files4463@tuta.io
Files4463@protonmail.ch
Files4463@gmail.com
In subjеct linе оf your mеssаgе writе yоur pеrsоnаl ID:
4292D68970C047D9
Wе rесоmmеnd yоu tо sеnd yоur mеssаgе ОN ЕАСH оf ОUR 3 ЕМАILS, duе tо thе fасt thаt thе mеssаgе mау nоt rеаch thеir intеndеd rеcipiеnt fоr а vаriеtу оf rеаsоns!
Plеаsе, writе us in Еnglish оr usе prоfеssiоnаl trаnslаtоr!
If yоu wаnt tо rеstоrе yоur filеs, yоu hаvе tо pаy fоr dесrуptiоn in Bitсоins. Thе pricе dереnds оn hоw fаst уоu writе tо us.
Your message will be as confirmation you are ready to pay for decryption key. After the payment you will get the decryption tool with instructions that will decrypt all your files including network folders.
Tо cоnfirm thаt wе cаn dесryрt yоur filеs yоu cаn sеnd us up tо 3 filеs fоr frее dесrурtiоn. Plеаsе nоte thаt filеs fоr frее dесrурtiоn must NОT cоntаin аnу vаluаblе infоrmаtiоn аnd thеir tоtаl sizе must bе lеss thаn 5Mb.
Yоu hаvе tо rеspоnd аs sооn аs pоssiblе tо еnsurе thе rеstоrаtiоn оf yоur filеs, bеcаusе wе wоnt kееp yоur dеcrуptiоn kеys аt оur sеrvеr mоre thаn оne wееk in intеrеst оf оur sеcuritу.
Nоtе thаt аll thе аttеmpts оf dесryptiоn by yоursеlf оr using third pаrty tооls will rеsult оnly in irrеvосаble lоss оf yоur dаtа.

If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 6 hours, рlеаsе сhеck SРАМ fоldеr!
If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 12 hours, рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе!
If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 24 hours (еvеn if уоu hаvе prеviоuslу rесеivеd аnswеr frоm us), рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе tо еасh оf оur 3 еmаils!
Аnd dоn't fоrgеt tо chеck SPАМ fоldеr!

Associated Email addresses:

RestorFile@tutanota.com,
RestoreFile@protonmail.com
RestoreFile@qq.com
Files4463@tuta.io
Files4463@protonmail.ch
Files4463@gmail.com