Home Malware Programs Ransomware Matrix Ransomware

Matrix Ransomware

Posted: April 4, 2018

The Matrix Ransomware (a separate threat from AES-the Matrix Ransomware, which delivers similar attacks) is a file-locking Trojan that asks for ransoms after locking your non-critical files, such as documents. Because the Matrix Ransomware encrypts in ways that aren't always reversible, users without backups may have no free options for recovering from this data loss. However, traditional anti-malware technology can detect and remove the Matrix Ransomware beforehand, as well as disinfect your PC afterward.

Another Developing Environment for File-Based Extortion

The stark rising of families of Ransomware-as-a-Service and open-source Trojans doesn't hinder the periodic development of singular threats wielding the same kinds of attacks necessarily. One of the newest of the independent, file-locking threats that malware analysts are seeing samples of is the Matrix Ransomware, which is arriving in centralized databases in at least two versions. Its authors are, as usual, instigating ransom payments after locking their victims' files, with a growing focus on providing communication infrastructure for the negotiations.

Both variants of the Matrix Ransomware are under four hundred kilobytes and use UPX-based compression to hide the harmful nature of their code. Although their small size makes them appropriate for drive-by-download delivery exploits, malware experts can't confirm any currently-in-use infection strategies. The two Trojans also share the following features:

  • The Matrix Ransomware employs a file-encrypting feature that blocks appropriate formats, such as Word's '.DOC' documents. These files also may have additional editing done to their names, such as the addition of an extension or a tag displaying an e-mail address or client ID.
  • The Matrix Ransomware uses the CMD console for issuing various commands to Windows, such as erasing the Shadow Copy backups. Early builds of the Matrix Ransomware meant for debugging purposes may not conceal this window from the user, although, ordinarily, the Trojan loads it without a visible UI.
  • The Trojan also generates messages with ransoming instructions for its victims, which it displays in local Web pages. The oldest version of the Matrix Ransomware provides e-mail addresses and ID numbers for the victim's use but doesn't specify the ransom amount or type of currency. The newest release also includes anonymous instant messaging support via Bitmessage.

Pulling Yourself out of the Matrix without Paying the Price

Any victims of the Matrix Ransomware's attacks have two options for restoring their files without charge: contacting established cyber-security organizations for investigating a direct decryption solution or reverting to their latest backups. Due to the vulnerability of locally-stored media, especially Windows defaults, malware experts advise keeping backup media on a separate device, such as any USB. Decryption isn't always possible, but paying the ransom also may result in the loss of money without any benefit to the victim.

File-locker Trojans' campaigns often use RDP exploits, fake e-mail attachments, or brute-force attacks against network logins for their early stages. Changing your passwords to secure ones, disabling scripts and macros, and using active anti-malware protection can eliminate the majority of the relevant infection strategies. Although the Matrix Ransomware does attempt to obfuscate its identity with a code packer, many anti-malware programs are removing the Matrix Ransomware as a threat successfully, and users should consider them as being the preferred disinfection method.

Malware researchers are estimating that the Matrix Ransomware's campaign is very young and may experience other developments beyond the ones cited here. However, one thing will never change: paying a ransom to cover up for not backing up your work or protecting your PC is a frivolous expense.

Update November 14th, 2018 — Matrix-FASTA Ransomware

The Matrix-FASTA Ransomware is a part of the AES-Matrix Ransomware family of file-locking Trojans. Its attacks, which operate on the Ransomware-as-a-Service strategy, are administrated by other threat actors who pay upfront fees or split the ransoms with the criminal's handling the software maintenance. Backing up media to other devices and drives will help with preserving it from these attacks, although, before restoring your files, you should remove the Matrix-FASTA Ransomware with a trusted brand of anti-malware solution.

South America Gets Included in the File-Ransoming Game

A new member of AES-Matrix Ransomware is bringing RaaS attacks to Brazilians and, potentially, the rest of the world. New versions of the family, such as the Matrix-EMAN Ransomware, the Matrix-ITLOCK Ransomware, the Matrix-NEWRAR Ransomware, and the Matrix-NOBAD Ransomware are showing activity throughout the year. However, the Matrix-FASTA Ransomware makes the first entry that malware experts can confirm for November.

After its introduction to a vulnerable PC – typically, a business server with brute-force-vulnerable logins - the Matrix-FASTA Ransomware and other AES-Matrix Ransomware members will begin encrypting the media files. They also establish a C&C connection for reporting the infection and related status information to the threat actor. As usual, these encrypted files will not open until after being decrypted and converted back to their original data formats. Some issues with identifying the content that the Matrix-FASTA Ransomware locks may arise, due to the Trojan's renaming them with more encoding, a bracketed e-mail address and a 'FASTA' extension.

Besides the different extension, the Matrix-FASTA Ransomware's payload is similar to that of other AES-Matrix Ransomware family members. It may change the desktop's wallpaper to a custom message, use a scheduled task to disable different security and repair features, and create RTF documents with its ransoming demands. There is no way of unlocking the files that the Matrix-FASTA Ransomware blocks for free, and malware researchers recommend having backups elsewhere for removing decryption's necessity as a solution.

Being Faster than the Next Attack from the RaaS Sector

One of the characteristics of the AES-Matrix Ransomware's family is the frequent visibility of a UI window while its encryption routine runs. However, this 'benefit' to the victim isn't likely of being significant since threat actors will run the Matrix-FASTA Ransomware after gaining manual access over the system. Malware researchers see brute-force and Remote Desktop-based attacks in the initial stages for infections regularly, which take advantage of logins with low-effort passwords.

Along with securing your login credentials, you also can protect your PC from the Matrix-FASTA Ransomware attacks by saving backups on other storage media and scanning downloads, especially e-mail attachments that may hold disguised installers for file-locking Trojans. The Ransomware-as-a-Service industry, often, uses some degree of social engineering that targets specific employees at vulnerable companies. The usual, reputable anti-malware programs can remove the Matrix-FASTA Ransomware after infection and should detect and block most of its installation exploits.

As long as this group of Trojans remains viable for marketing financially, attacks that lock down the contents of entire servers are inevitable. Preventing a ransom from being your best way out of the Matrix-FASTA Ransomware infections is the surest way of stopping more of its relatives from appearing, in South America, or elsewhere.

Update October 22nd, 2018 — Matrix-GMPF Ransomware

The Matrix-GMPF Ransomware uses an identical file-encryption method as the original Matrix Ransomwareproject. Unfortunately, this means that the victims of the Matrix-GMPF Ransomware will not be able to get their files back for free, and the only data recovery option is offered by the attackers who might demand a lot of money for their services.

Getting infected by the Matrix-GMPF Ransomware usually happens when victims are tricked into opening an email attachment that is harmless but is meant to execute a macro script, which downloads the Matrix-GMPF Ransomware’s payload and begins the attack. When the Matrix-GMPF Ransomware is activated, it may need just a few minutes to complete the file-encryption attack and fill the victim’s hard drive with encrypted documents, images, videos, archives, databases and other files. All files that the Matrix-GMPF Ransomware locks will have their name changed to ‘[GetMyPass@qq.com].<8 random chars-8 random chars>.GMPF.’

Of course, the Matrix-GMPF Ransomware will not end its attack without providing the victim with a ransom message that tells them how to get their files back. The issue is that their instructions are not free, and they demand a certain amount of Bitcoin in exchange for their decryptor. Trusting cybercriminals like the ones behind Matrix-GMPF Ransomware is a horrible idea, because they may easily trick you out of your money. Instead of trying to negotiate with crooks, we suggest that you take matters into your own hands by using a trustworthy and up-to-date anti-virus scanner to get rid of the Matrix-GMPF Ransomware’s files.

When you have eliminated all of the Matrix-GMPF Ransomware’s files successfully, you can proceed to use reputable data recovery software, which might be able to restore some of your files to normal.

Update December 20th, 2018 — Matrix-PRCP Ransomware

The list of ransomware related to the Matrix Ransomware family keeps expanding every month, and the next entry is called the Matrix-PRCP Ransomware. This file-locker has proven to be impossible to decrypt via free means so that its victims are left with unreliable options – pay the authors of the Matrix-PRCP Ransomware for a decryptor or look into alternative data recovery methods. We would not recommend the first method since sending money to cybercrooks is a terrible idea that might cost you hundreds of dollars easily.

When the Matrix-PRCP Ransomware attacks a computer, it might encrypt files, generate a ransom note and wipe out the Shadow Volume Copies. All the files that the Matrix-PRCP Ransomware locks will have their names changed by using the pattern ‘[radrigoman@protonmail.com].-.PRCP.’ The ransom message is dropped in the file ‘#README_PRCP#.txt,’ which tells the victims to contact the attackers if they wish to get their files back.

The users are likely to become the targets of the Matrix-PRCP Ransomware when they receive a fake email message that is made to look as if it is legitimate. Often, the email in question might contain a file attachment that is supposedly important but, in reality, it is a macro-laced document meant to download and execute the Matrix-PRCP Ransomware’s payload. The only guaranteed way to protect your computer from the Matrix-PRCP Ransomware’s attack is to use a trustworthy anti-virus program that will identify harmful applications and cease their execution immediately.

If the Matrix-PRCP Ransomware’s attack has taken place already, then the users should be prepared for a difficult recovery that might not always end successfully. Due to the lack of a decryptor, it is not possible to fully restore files locked by the Matrix-PRCP Ransomware, unless you use a backup copy to recover the data. Do not forget that before attempting to restore any files, you should take the required steps to eliminate the Matrix-PRCP Ransomware’s files with the help of a trustworthy security tool.

Update January 16th, 2019 - Matrix-GRHAN Ransomware

The expansion of the Matrix Ransomware family continues rapidly with the introduction of the Matrix-GRHAN Ransomware – a file-locker, which uses the same file-encryption routine as all other members of this family. Unfortunately, this means that the victims of the Matrix-GRHAN Ransomware will be unable to rely on free decryption software, and they would only be able to restore their files securely if they have the habit of making regular backups of their data.

When the Matrix-GRHAN Ransomware is initialized on a computer, it may begin the file-encryption process immediately, which may take a couple of minutes to complete. During this time, the Matrix-GRHAN Ransomware’s encryption module will scan the file system for suitable files to encrypt, and then encrypt their contents by using the unique decryption key generated for every victim. Unfortunately, this key is then stored on the Command & Control server of the attacker, and it is required for the decryption of the files.

The files locked by the Matrix-GRHAN Ransomware can be recognized by the changes that will be made to their names – this file-locker renames the files by using the pattern ‘[greenelephan@qq.com]..GRHAN.’ Another trait of the Matrix-GRHAN Ransomware’s attack is the presence of a ransom note ‘!README_GRHAN!.rtf.’
It is not rare to see that the authors of the Matrix-GRHAN Ransomware are making these attacks because they expect to be paid in exchange for their decryptor. However, we would not advise you to trust cybercriminals who may take your money easily without fulfilling their duty. Victims of the Matrix-GRHAN Ransomware should remove the harmful program with the assistance of a trustworthy anti-virus program that will ensure the removal of all files linked to the file-locker immediately. After this step is complete, they should proceed to try and recover their files either from a backup or by using credible data recovery tools.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Matrix Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria .

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Related Posts