Matrix ransomware made its first appearance in 2016 as it was being distributed by RIG exploit kits used by the EITest campaign. Although recently the threat actors who are distributing Matrix are following a playbook that is based on the playbook used by the SamSam Group.
Attacks involving the Matrix ransomware have been infrequent and have been recorded to target organisation of medium to large size from many countries including US, Belgium, Taiwan, Singapore, Germany, Brazil, Chile, South Africa, Canada, and the UK.
There is no decryptor for any of the active variants of the Matrix ransomware and the average ransom required is $3.5k which can be paid via provided email addresses in the ransomware note.
The threat actor begins to try to gain access to the target network by targeting an exposed Windows machine which has RDP enabled and can be accessible through the target’s firewalls. Then the threat actor will use uses brute force or exploit techniques to gain access to the exposed machine. The threat actor may use lateral movement techniques to gain access to other machines within the victim’s network. Some variants of the Matrix ransomware have been recorded to have a worm feature included that allows the ransomware to spread and infect other machines through folder shortcuts.
After the threat actor have dropped Matrix onto the target’s machines, Matrix attempts to scan the network for any shared folders that it could possibly enumerate and to build a list of files that can be valuable using the NetShareEnum function. Matrix also collects information from the compromised machines to find where they are in the network and what system integrity level, they have like the active user account permissions.
Matrix then compares the results of the scans to a list of hardcoded file extensions of files to be encrypted. Matrix usually targets removable, fixed, and remote drives. Matrix uses the CryptGenRandom function to create a 40 byte long random value which is then used in a ChaCha algorithm to encrypt the files via key and nonce pairs of 40 byte long random values.
The final stage of the attack is when the malware finishes running through all the encryptable files, it runs a.cmd file that uses cipher.exe tool to overwrite the deleted data on all the connected drives. This causes the drives to be permanently unrecoverable.
Command and Control
During the attack, Matrix communicates the results from the scans of the target network, and real-time status updates of the attack to a C&C server so the threat actors can modify and control the attack of the ransomware.