New Matrix Ransomware Variants Installed Via Hacked Remote Desktop Services
(Apr 7, 2018)
The security researcher known as “MalwareHunterTeam” has discovered two new variants of the “Matrix” ransomware. One of the variants was found to be able to have debugging capabilities and using a cipher to wipe free space. Threat actors are distributing this ransomware via compromised Remote Desktop services. At the time of this writing, a decryptor for both Matrix variants is not available.
Recommendation: Ensure that your server is always running the most current software version. Additionally, maintaining secure passwords for RDP and other remote access systems is paramount. Intrusion detection systems and intrusion prevention systems can also assist in identifying and preventing attacks against your company's network. Furthermore, always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.