The two greatest threats currently facing business owners are ransomware and ATAs, advanced targeted attacks that have been designed for a specific environment. The last two years have seen an increase in both kinds of threats, as well as their combination: targeted ransomware such as Ryuk, SamSam, and now Matrix.

Matrix variants have been observed before, but a recent report notes that Matrix has moved firmly into the targeted realm. This development suggests they have taken lessons from their malware brothers-in-arms and have even added a new twist.

What Is The Matrix Ransomware
Matrix targets computers through Windows Remote Desktop (RDP) services, most likely by brute forcing the passwords of internet-connected computers to gain entry. On successful execution, the malware looks for and encrypts certain types of files.

The Matrix ransomware obfuscates the original filename and appends its own custom extension to it, typically with either an email address-style syntax such as [RestoreFile@qq.com] or an uppercase suffix such as .MTXLOCK.

Matrix also attempts to delete the snapshots automatically created by Windows Volume Shadow Copy service (VSS) to prevent the user or backup software from easily restoring to a known good point.

Matrix Changes The Rules
In any ransomware story, you would normally expect there to be a ransom note demanding a certain amount of bitcoin. But that’s where the Matrix ransomware shakes things up. The malware authors have dispensed with the convention of a ransom note demanding a specific fee in cryptocurrency. Instead, they aim to capitalize on their tactic of using a targeted attack.

The criminals first ask the victim to send between 3 and 5 samples of their encrypted files along with the KEYIDS.KLST file intentionally left by the malware on the victim’s Desktop. The attackers then privately decrypt the user’s files, determining who the victim is and what kind of data they are likely to have lost. They then contact the victim with a ransom demand, presumably based on their evaluation of the victim’s perceived financial resources and the value of the data.

As pointed out earlier, this is particularly hard on a business owner. In a typical ransomware attack, the attackers have no idea – and little concern about who their victims are or what data has been rendered inaccessible. Everybody gets hit for the same amount. The Matrix ransomware instead sets a variable price based on the attackers’ own assessment of the worth of the victim. The bigger the fish, the bigger the demand.

The Matrix malware authors have also potentially started a new trend by demanding the bitcoin equivalent of a dollar amount rather than a fixed bitcoin amount. This puts the problem of fluctuations in cryptocurrency value firmly in the buyer’s court. Recently, bitcoin values have fluctuated by as much as 10% on a daily basis so perhaps concern about volatile prices could also indicate the criminals intend to cash out quickly.

There is no known public decryptor available for the Matrix malware at this time. The best way to protect yourself and your business from ransomware is to have a reliable, up-to-date offsite data backup. The criminals are getting smarter all the time!