Matrix Ransomware Distributed Via Compromised Remote Desktop Services

MalwareHunterTeam recently discovered two new variants of the Matrix ransomware that are distributed via compromised Remote Desktop services. First detected in 2016, Matrix was previously delivered to victims through an exploit kit known as RIG. In this current campaign, threat actors scan for machines that have their Remote Desktop Protocol (RDP) ports open and exposed to the internet. Once a vulnerable system is located, a brute-force attack is launched against the login credentials used for remote access. If the attack is successful, Matrix ransomware will be installed and executed on the target computer. Despite some differences, both new versions of Matrix encrypt filenames and unmapped network shares, clear Volume Shadow Copies, and display status windows during the encryption process. Encrypted filenames will be appended with [Files4463[@]tuta[.]io] or [RestorFile[@]tutanota[.]com], depending on which variant infects the machine. The NJCCIC recommends all users and administrators running Remote Desktop services review the NJCCIC Threat Analysis titled Remote Access: Open Ports Create Targets of Opportunity, Undue Risk and take proactive steps to reduce their exposure to network compromise as a result of insecure remote access configurations. We also recommend all members and organizations download our PDF titled Ransomware: Risk Mitigation Strategies to learn how to protect data, systems, and networks from ransomware.