Matrix Ransomware: What To Do If You’re Infected

Tetra Defense looks back at some ransomware strains we’ve seen as the past oftentimes informs the present. Learn how Matrix Ransomware operated to stay updated on possible future strains. 

What is Matrix Ransomware?

Matrix ransomware is part of a new breed of malware whose favored method of distribution is by exploiting RDP vulnerabilities using a brute-force password attack. Matrix has this in common with the Ryuk, SamSam, and Phobos ransomware strains, all of which had the same primary attack vector. Some security professionals have observed that this ransomware vector strategy appears to be trending upward.

The Matrix strain follows in this tradition by implementing a targeted RDP exploit attack methodology against pre-selected victims, usually small, medium, or enterprise-level businesses. These may be businesses that the attackers assume would be more likely to pay the ransom if they successfully hack into the infrastructure.

The bigger the fish, the bigger the prize?

So far, the discovered footprint of the Matrix ransomware is relatively low, and the number of organizations that have been affected by the malware is relatively small. Still, importantly, the reward for successful ransom is significantly high.

As always, figures for ransomware attacks are difficult to estimate, but ZDNET has observed that of the known Matrix victims, 28% were businesses based in the United States, and 17% were in Belgium. Additional significant Matrix ransomware infections occurred in Taiwan, Singapore, Germany, Brazil, Chile, South Africa, Canada, and the UK.

There are 30 known extensions used by the Matrix ransomware, and with most strains, the attackers masquerade as the FBI claiming to have remotely locked the files. Most likely, the goal of this tactic is to create fear and make an emotional impact on the victim.

Unusually, with Matrix ransomware, the ransom demand is always in US Dollars instead of bitcoin. The ransom payment still happens in bitcoin, but some experts believe that this approach protects the attackers from widely fluctuating bitcoin currency valuations.

How Does Matrix Ransomware Work?

A server or computing infrastructure device that is exposed to the Internet and has RDP enabled is at risk of an RDP attack. Remote desktop is a legitimate administration tool used by computer operators to manage servers and devices.

RDP uses port 3389, and with the proliferation of cloud computing, there are a vast number of public-facing computers with RDP enabled. Security experts warn against allowing RDP unless necessary, and they advise the use of secure passwords and multi-factor authentication.

RDP connections protected by weak, simple, and human-readable passwords easily cracked using sustained dictionary attack hacking tools. A botnet, or a group of compromised servers, is used to identify and attack the RDP connection. This methodology creates a sustained, high-volume attack that challenges the RDP protocol with millions upon millions of passwords in quick succession.

Victims of Matrix Ransomware will most likely have had their systems accessed over RDP, either directly or indirectly. The payload is copied over to the victim’s computer and executed manually.

The ransomware payload follows a typical trend after execution: Matrix removes Windows Volume Shadow Service snapshots and system restore points to prevent restoration, and antivirus software is disabled before encryption. Standard user files are targeted, including pictures, documents, databases, and a variety of non-system files – all of which are locked using encryption.

The malware attempts to copy itself to admin shares on the network, and the attacker may attempt to access internal systems, which they can accomplish easily if RDP cached credentials exist within the compromised system.

Another feature that differentiates Matrix ransomware is how the attackers carry out the ransom demand. The ransomware note gives instructions for the user to send 3-5 of the obfuscated and encrypted files to the attacker, together with the KEYIDS.KLST file that was created by the ransomware.

This action serves two purposes; firstly, it proves to the victim that the attack can unlock files, but it also gives the attacker the upper hand, as the data sent by the victim may potentially hold business information. The attackers could identify who the victim was and use that knowledge to issue a personalized ransom demand. The costs may be high or low, depending on the likelihood of payment. The follow-up ransom demand includes a bitcoin address of where to send the payment.

How Do I Prevent Matrix Ransomware?

Because Remote Desktop Protocol (RDP) is the primary attack vector, securing all your RDP connections is a fundamental best practice to invoke. Only enable RDP on public-facing systems if absolutely necessary. Restrict RDP access to a set number of authorized IP addresses: this is an essential precaution on cloud computing infrastructure.

Passwords used on RDP hosts must be complex, non-dictionary words, ideally protected by multi-factor authentication, such as RSA. Enhanced RDP security features, called Network Level Authentication, should also be switched on from the Windows operating system. Network layer protection should also be engaged using a network firewall that drops any unauthorized traffic.

Educating employees about ransomware and securing RDP are great strategies to help thwart malware like Matrix. Education about malware, phishing campaigns, and how to react to unexpected attachments is also a recommended approach.

Proactive prevention is another strategy that can prove useful. This strategy may include technical measures such as robust email filtering, email authentication, email encryption, and endpoint monitoring tools. Patch all network infrastructure to the latest security levels, including servers, antivirus, antimalware, device firmware levels, and application updates.

We recommend that you follow additional strict business practices to help prevent Matrix from infecting your infrastructure. These practices include creating and maintaining a system inventory of your entire infrastructure and using this information to conduct a risk analysis to identify security weaknesses, allowing you to create a priority list of what to fix first.

Replace end-of-life Operating Systems including Windows XP, Windows 7, and, soon also, Windows Server 2008 R2. OS licensing is expensive, but it is critical to have supported operating systems that entitle you to security updates and patches.

Finally, use backups. If the worst does happen and you are affected by ransomware, often the quickest resolution is to restore from backup. Regular offsite backups should be completed on a daily, weekly, monthly rotation to reduce the likelihood of the backups also becoming infected.

Have a disaster recovery plan in place to prepare for the eventuality of a total outage caused by ransomware. This plan might be a high availability Disaster Recovery set up in a secondary site or with a cloud provider.

How Do I Get Rid of Matrix Ransomware?

Nearly all antivirus products are now capable of blocking malware using real-time protection agents, and fortunately, the Matrix application hashes are known and easily detected by AV. Combining this with a strong RDP security strategy will put you in the best possible position.

There are many websites online that claim to be able to remove Matrix. However, most of these are fake scamming sites. There is no known publicly available decryptor for the Matrix Ransomware.

We strongly recommend a full rebuild of any machine infected with Matrix from a backup. Rebuilding machines may cause short-term pain, but in the longer term, there is the assurance that he malware wholly removed during the rebuild process.

Tetra Defense prioritizes restoration to get businesses back to where they were before the ransomware attack. We approach ransomware restoration and investigations simultaneously, so you return to normal operations at the same time you are getting answers.

Our teams are standing by to focus on what matters most: your business! We will survey the ransomware attack and perform an initial assessment; this will identify the optimal course of action to address the incident. If deemed necessary, we can conduct ransom negotiation and, if needed, can facilitate ransom payment.

We remove the threat from and secure your systems, conduct malware scans, and network threat hunting. Tetra leverages each incident to learn from the ransomware attack and to discover the root cause. Once Tetra obtains the decryption keys, we decrypt the data and get systems restored to full functionality as quickly as possible.

Example of Matrix Ransom Note

Get Help with Matrix Ransomware

If you’re ready to get help removing Matrix ransomware from your critical systems, contact Tetra Defense’s incident response team today. We will reach out for an assessment and build a plan to get your network up and running once again.

Check out some related content on our blog: