Two new Matrix Ransomware variants were discovered this week by MalwareHunterTeam that are being installed through hacked Remote Desktop services. While both of these variants encrypt your computer's files, one is a bit more advanced with more debugging messages and the use of cipher to wipe free space.
Based on the debugging messages displayed by the ransomware when it is executed and the various reports in the BleepingComputer forums, this ransomware is currently being distributed to victims by the attackers brute forcing the passwords of Remote Desktop services connected directly to the Internet. Once the attackers gain access to a computer, they upload the installer and execute it.
Currently there are two different Matrix variants being distributed at this time. Both variants are being installed over hacked RDP, encrypt unmapped network shares, display status windows while encrypting, clear shadow volume copies, and encrypt the filenames. There are, though, some slight differences between the two variants, with the second one ([RestorFile@tutanota.com]) being a bit more advanced.
These differences are described below.
This variant, which is identified by the [Files4463@tuta.io] extension, is the less advanced one.. When this variant is running it will open both of the following windows at the same time to show the status of the infection. One window is for status messages regarding the encryption and the other is for information regarding network share scanning.
When files are encrypted, it will encrypt the filename and then append the [RestorFile@tutanota.com] extension to it. For example, test.jpg would be encrypted and renamed to something lie 0ytN5eEX-RKllfjug.[Files4463@tuta.io].
This variant will also drop ransom note named !ReadMe_To_Decrypt_Files!.rtf in each folder that is scanned. This ransom note contains the Files4463@tuta.io, Files4463@protonmail.ch, and Files4463@gmail.com email addresses that are used to contact the attacker and make a ransom payment.
This variant will also change the desktop background to the following image.
Unfortunately, this variant of Matrix Ransomware cannot be decrypted for free.
The second variant is identified by its use of the [RestorFile@tutanota.com] extension.
While this variant operates in a similar fashion as the previous one, it is a bit more advanced as it has better debugging messages and utilizes the cipher command to overwrite all free space on the computer after the encryption is done. Furthermore, this variant utilizes different contact email addresses, a different extension, and a different ransom note name.
When this variant is running it will utilize the following windows that show the status of the infection. Notice that there is greater logging shown in this variant compared to the previous one.
When files are encrypted, it will encrypt the filename and then append the [RestorFile@tutanota.com] extension to it. For example, test.jpg would be encrypted and renamed to something lie 0ytN5eEX-RKllfjug.[RestorFile@tutanota.com].
This variant will also drop ransom note named #Decrypt_Files_ReadMe#.rtf in each folder that is scanned. This ransom note contains the RestorFile@tutanota.com, RestoreFile@protonmail.com, and RestoreFile@qq.com email addresses that are used to contact the attacker and make a ransom payment.
It will also change the desktop background to the following image.
After this variant finishes encrypting the computer, it will execute the "cipher.exe /w:c" command in order to overwrite the free space on the C: drive. This is to prevent the victim from using file recovery tools to recover their files.
Unfortunately, like the previous variant, this one cannot be decrypted for free.
In order to protect yourself from ransomware in general, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.
As the Matrix Ransomware may be installed via hacked Remote Desktop services, it is very important to make sure its locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.
It is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services.
You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics. For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.
Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:
For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.
Variant 1: a26087bb88d654cd702f945e43d7feebd98cfc50531d2cdc0afa2b0437d25eea Variant 2: 996ea85f12a17e8267dcc32eae9ad20cff44115182e707153006162711fbe3c9
WHAT HAPPENED WITH YOUR FILES? Your documents, databases, backups, network folders and other important files are encrypted with RSA-2048 and AES-128 ciphers. More information about the RSA and AES can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) http://en.wikipedia.org/wiki/Advanced_Encryption_Standard It mеаns thаt yоu will nоt bе аblе tо аccеss thеm аnуmоrе until thеу аrе dесrуptеd with yоur pеrsоnаl dесrуptiоn kеy! Withоut уоur pеrsоnаl kеy аnd sреciаl sоftwаrе dаtа rеcоvеrу is impоssiblе! If yоu will fоllоw оur instruсtiоns, wе guаrаntее thаt yоu cаn dесryрt аll yоur filеs quiсkly аnd sаfеly! If yоu wаnt tо rеstоrе yоur filеs, plеаsе writе us tо thе е-mаils: Files4463@tuta.io Files4463@protonmail.ch Files4463@gmail.com In subjеct linе оf your mеssаgе writе yоur pеrsоnаl ID: 4292D68970C047D9 Wе rесоmmеnd yоu tо sеnd yоur mеssаgе ОN ЕАСH оf ОUR 3 ЕМАILS, duе tо thе fасt thаt thе mеssаgе mау nоt rеаch thеir intеndеd rеcipiеnt fоr а vаriеtу оf rеаsоns! Plеаsе, writе us in Еnglish оr usе prоfеssiоnаl trаnslаtоr! If yоu wаnt tо rеstоrе yоur filеs, yоu hаvе tо pаy fоr dесrуptiоn in Bitсоins. Thе pricе dереnds оn hоw fаst уоu writе tо us. Your message will be as confirmation you are ready to pay for decryption key. After the payment you will get the decryption tool with instructions that will decrypt all your files including network folders. Tо cоnfirm thаt wе cаn dесryрt yоur filеs yоu cаn sеnd us up tо 3 filеs fоr frее dесrурtiоn. Plеаsе nоte thаt filеs fоr frее dесrурtiоn must NОT cоntаin аnу vаluаblе infоrmаtiоn аnd thеir tоtаl sizе must bе lеss thаn 5Mb. Yоu hаvе tо rеspоnd аs sооn аs pоssiblе tо еnsurе thе rеstоrаtiоn оf yоur filеs, bеcаusе wе wоnt kееp yоur dеcrуptiоn kеys аt оur sеrvеr mоre thаn оne wееk in intеrеst оf оur sеcuritу. Nоtе thаt аll thе аttеmpts оf dесryptiоn by yоursеlf оr using third pаrty tооls will rеsult оnly in irrеvосаble lоss оf yоur dаtа. If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 6 hours, рlеаsе сhеck SРАМ fоldеr! If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 12 hours, рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе! If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 24 hours (еvеn if уоu hаvе prеviоuslу rесеivеd аnswеr frоm us), рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе tо еасh оf оur 3 еmаils! Аnd dоn't fоrgеt tо chеck SPАМ fоldеr!
RestorFile@tutanota.com, RestoreFile@protonmail.com RestoreFile@qq.com Files4463@tuta.io Files4463@protonmail.ch Files4463@gmail.com