Matrix, first discovered in March 2017, targets Windows OS and is distributed via the RIG EK by the EITest campaign. When a victim visits a compromised website that has had EITest scripts injected into the site's code, the EITest scripts load a RIG iframe that attempts to exploit vulnerable software on the victim's computer in order to install the Matrix ransomware variant. Another version of Matrix has a worm-like feature that spreads the infection from the original system to other systems through Windows folder shortcuts. This version hides a folder on the victim's system and then creates a shortcut with the same name as the hidden folder. It then makes a copy of the ransomware executable, names it desktop.ini, and saves it in the original, but hidden, folder. When a victim tries to open the shortcut to view the contents of the folder, Matrix launches the malware executable and begins encrypting files. This feature allows it to spread via both network shares and removable storage media. Matrix repeatedly contacts its C2 servers throughout the encryption process and sends progress updates to the attacker. It deletes Shadow Volume Copies to prevent file restoration by the victim and executes two commands that prevent the victim from entering recovery mode. The ransom payment demand is currently unknown.
Extensions appended to encrypted file names:
Ransom note file names:
matrix-readme.rtf, Bl0cked-ReadMe.rtf, WhatHappenedWithFiles.rtf
- Bleeping Computer provides more information about Matrix here.
- The NJCCIC is not currently aware of any free decryption tools available for Matrix.