Matrix, first discovered in March 2017, targets Windows OS and is distributed via the RIG EK by the EITest campaign. When a victim visits a compromised website that has had EITest scripts injected into the site's code, the EITest scripts load a RIG iframe that attempts to exploit vulnerable software on the victim's computer in order to install the Matrix ransomware variant. Another version of Matrix has a worm-like feature that spreads the infection from the original system to other systems through Windows folder shortcuts. This version hides a folder on the victim's system and then creates a shortcut with the same name as the hidden folder. It then makes a copy of the ransomware executable, names it desktop.ini, and saves it in the original, but hidden, folder. When a victim tries to open the shortcut to view the contents of the folder, Matrix launches the malware executable and begins encrypting files. This feature allows it to spread via both network shares and removable storage media. Matrix repeatedly contacts its C2 servers throughout the encryption process and sends progress updates to the attacker. It deletes Shadow Volume Copies to prevent file restoration by the victim and executes two commands that prevent the victim from entering recovery mode. The ransom payment demand is currently unknown.
Extensions appended to encrypted file names:
.matrix, .b10cked, email@example.com, Files4463@tuta.io, RestorFile@tutanota.com
Ransom note file names:
matrix-readme.rtf, Bl0cked-ReadMe.rtf, WhatHappenedWithFiles.rtf, #_#WhatWrongWithMyFiles#_#.rtf, !ReadMe_To_Decrypt_Files!.rtf, #Decrypt_Files_ReadMe#.rtf
UPDATE 10/27/2017: A new Matrix campaign was discovered targeting vulnerabilities in Internet Explorer (CVE-2016-0189) and Flash (CVE-2015-8651) and using the RIG EK on sites displaying malvertising to infect visitors. The version used in this campaign appends .firstname.lastname@example.org to the names of encrypted files and drops a ransom note named #_#WhatWrongWithMyFiles#_#.rtf
UPDATE 4/7/2018: Two new Matrix variants are currently being distributed via compromised Remote Desktop services. Both variants encrypt filenames and unmapped network shares, display status windows during the encryption process, and clear shadow volume copies.
- Bleeping Computer provides more information about Matrix here.
- The NJCCIC is not currently aware of any free decryption tools available for Matrix.