Matrix Ransomware: A Threat to Low-Hanging Fruit
(Jan 31, 2019)
Researchers from Sophos published a report, “Matrix: A Low-Key Targeted Ransomware,” in which they discuss an unsophisticated malware called “Matrix” that attempts to brute-force weak Remote Desktop Protocols (RDPs). Once it gains access into a system, the malware will use other RDPs to obtain persistence in the network and spread. Matrix bundles several payload executables into it to accomplish tasks, including free, legitimate system administrator tools. The ransom note that is presented to the infected user requests victims to email the attackers to find out the ransom amount as well as get their files back. The authors behind the malware initially request $2,500 in Bitcoin and increase the amount by $1,000 if the victim does not pay after the first 24 hour period. They then state that the private key to obtain the decryption key will be deleted if the user does not pay the ransom after 96 hours of the initial encryption.
Recommendation: Ensure that your server is always running the most current software version. Additionally, maintaining secure passwords for RDP and other remote access systems is paramount. Intrusion detection systems and intrusion prevention systems can also assist in identifying and preventing attacks against your company's network. Furthermore, always practice defence-in-depth (do not rely on single security mechanisms - security measures should be layered, redundant, and fail-safe). In the case of ransomware infection, the affected systems should be wiped and reformatted. Never pay the ransom, as it does not guarantee retrieving your files back. Other machines on the same network should be scanned for other potential infections.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.