Matrix, also known as Ann, is ransomware that has been frequently updated since December 2016.
Matrix has been distributed using a range of methods including spam email campaigns, the RIG exploit kit and hacked remote desktop services.
When Matrix is executed it encrypts the user’s files and filenames, including on network shares. Matrix then uploads statistics on the types of files that were encrypted to its command and control server. To undermine recovery by the user Matrix deletes Shadow Volume copies and disables recovery options on the affected device, with some variants also overwriting all free space on the storage volume.
Some variants of Matrix can propagate further by using shortcuts. During the encryption process, these variants hide a folder and then create a shortcut using the folder’s icon and name to fool users into executing the ransomware. These malicious shortcuts are created on network shares and removable drives, which can result in the ransomware being executed across the local network.
Despite some differences, both new versions of Matrix encrypt filenames and unmapped network shares, clear Volume Shadow Copies, and display status windows during the encryption process. Encrypted filenames will be appended with [Files4463[@]tuta[.]io] or [RestorFile[@]tutanota[.]com], depending on which variant infects the machine.
The ransomware is being installed through exploit kits which target vulnerabilities in Internet Explorer (CVE-2016-0189) and Flash (CVE-2015-8651).
Ransom Note Text:
WHAT HAPPENED WITH YOUR FILES? Your documents, databases, backups, network folders and other important files are encrypted with RSA-2048 and AES-128 ciphers. More information about the RSA and AES can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) http://en.wikipedia.org/wiki/Advanced_Encryption_Standard It mÐµÐ°ns thÐ°t yÐ¾u will nÐ¾t bÐµ Ð°blÐµ tÐ¾ Ð°ccÐµss thÐµm Ð°nÑƒmÐ¾rÐµ until thÐµÑƒ Ð°rÐµ dÐµÑrÑƒptÐµd with yÐ¾ur pÐµrsÐ¾nÐ°l dÐµÑrÑƒptiÐ¾n kÐµy! WithÐ¾ut ÑƒÐ¾ur pÐµrsÐ¾nÐ°l kÐµy Ð°nd sÑ€ÐµciÐ°l sÐ¾ftwÐ°rÐµ dÐ°tÐ° rÐµcÐ¾vÐµrÑƒ is impÐ¾ssiblÐµ! If yÐ¾u will fÐ¾llÐ¾w Ð¾ur instruÑtiÐ¾ns, wÐµ guÐ°rÐ°ntÐµÐµ thÐ°t yÐ¾u cÐ°n dÐµÑryÑ€t Ð°ll yÐ¾ur filÐµs quiÑkly Ð°nd sÐ°fÐµly! If yÐ¾u wÐ°nt tÐ¾ rÐµstÐ¾rÐµ yÐ¾ur filÐµs, plÐµÐ°sÐµ writÐµ us tÐ¾ thÐµ Ðµ-mÐ°ils: [email protected] [email protected] [email protected] In subjÐµct linÐµ Ð¾f your mÐµssÐ°gÐµ writÐµ yÐ¾ur pÐµrsÐ¾nÐ°l ID: 4292D68970C047D9 WÐµ rÐµÑÐ¾mmÐµnd yÐ¾u tÐ¾ sÐµnd yÐ¾ur mÐµssÐ°gÐµ ÐžN Ð•ÐÐ¡H Ð¾f ÐžUR 3 Ð•ÐœÐILS, duÐµ tÐ¾ thÐµ fÐ°Ñt thÐ°t thÐµ mÐµssÐ°gÐµ mÐ°Ñƒ nÐ¾t rÐµÐ°ch thÐµir intÐµndÐµd rÐµcipiÐµnt fÐ¾r Ð° vÐ°riÐµtÑƒ Ð¾f rÐµÐ°sÐ¾ns! PlÐµÐ°sÐµ, writÐµ us in Ð•nglish Ð¾r usÐµ prÐ¾fÐµssiÐ¾nÐ°l trÐ°nslÐ°tÐ¾r! If yÐ¾u wÐ°nt tÐ¾ rÐµstÐ¾rÐµ yÐ¾ur filÐµs, yÐ¾u hÐ°vÐµ tÐ¾ pÐ°y fÐ¾r dÐµÑrÑƒptiÐ¾n in BitÑÐ¾ins. ThÐµ pricÐµ dÐµÑ€Ðµnds Ð¾n hÐ¾w fÐ°st ÑƒÐ¾u writÐµ tÐ¾ us. Your message will be as confirmation you are ready to pay for decryption key. After the payment you will get the decryption tool with instructions that will decrypt all your files including network folders. TÐ¾ cÐ¾nfirm thÐ°t wÐµ cÐ°n dÐµÑryÑ€t yÐ¾ur filÐµs yÐ¾u cÐ°n sÐµnd us up tÐ¾ 3 filÐµs fÐ¾r frÐµÐµ dÐµÑrÑƒÑ€tiÐ¾n. PlÐµÐ°sÐµ nÐ¾te thÐ°t filÐµs fÐ¾r frÐµÐµ dÐµÑrÑƒÑ€tiÐ¾n must NÐžT cÐ¾ntÐ°in Ð°nÑƒ vÐ°luÐ°blÐµ infÐ¾rmÐ°tiÐ¾n Ð°nd thÐµir tÐ¾tÐ°l sizÐµ must bÐµ lÐµss thÐ°n 5Mb. YÐ¾u hÐ°vÐµ tÐ¾ rÐµspÐ¾nd Ð°s sÐ¾Ð¾n Ð°s pÐ¾ssiblÐµ tÐ¾ ÐµnsurÐµ thÐµ rÐµstÐ¾rÐ°tiÐ¾n Ð¾f yÐ¾ur filÐµs, bÐµcÐ°usÐµ wÐµ wÐ¾nt kÐµÐµp yÐ¾ur dÐµcrÑƒptiÐ¾n kÐµys Ð°t Ð¾ur sÐµrvÐµr mÐ¾re thÐ°n Ð¾ne wÐµÐµk in intÐµrÐµst Ð¾f Ð¾ur sÐµcuritÑƒ. NÐ¾tÐµ thÐ°t Ð°ll thÐµ Ð°ttÐµmpts Ð¾f dÐµÑryptiÐ¾n by yÐ¾ursÐµlf Ð¾r using third pÐ°rty tÐ¾Ð¾ls will rÐµsult Ð¾nly in irrÐµvÐ¾ÑÐ°ble lÐ¾ss Ð¾f yÐ¾ur dÐ°tÐ°. If yÐ¾u did nÐ¾t rÐµcÐµivÐµ thÐµ Ð°nswÐµr frÐ¾m thÐµ Ð°fÐ¾rÐµcitÐµd ÐµmÐ°ils fÐ¾r mÐ¾rÐµ then 6 hours, Ñ€lÐµÐ°sÐµ ÑhÐµck SÐ ÐÐœ fÐ¾ldÐµr! If yÐ¾u did nÐ¾t rÐµcÐµivÐµ thÐµ Ð°nswÐµr frÐ¾m thÐµ Ð°fÐ¾rÐµcitÐµd ÐµmÐ°ils fÐ¾r mÐ¾rÐµ then 12 hours, Ñ€lÐµÐ°sÐµ trÑƒ tÐ¾ sÐµnd ÑƒÐ¾ur mÐµssÐ°gÐµ with Ð°nÐ¾thÐµr ÐµmÐ°il sÐµrviÑÐµ! If yÐ¾u did nÐ¾t rÐµcÐµivÐµ thÐµ Ð°nswÐµr frÐ¾m thÐµ Ð°fÐ¾rÐµcitÐµd ÐµmÐ°ils fÐ¾r mÐ¾rÐµ then 24 hours (ÐµvÐµn if ÑƒÐ¾u hÐ°vÐµ prÐµviÐ¾uslÑƒ rÐµÑÐµivÐµd Ð°nswÐµr frÐ¾m us), Ñ€lÐµÐ°sÐµ trÑƒ tÐ¾ sÐµnd ÑƒÐ¾ur mÐµssÐ°gÐµ with Ð°nÐ¾thÐµr ÐµmÐ°il sÐµrviÑÐµ tÐ¾ ÐµÐ°Ñh Ð¾f Ð¾ur 3 ÐµmÐ°ils! Ðnd dÐ¾n't fÐ¾rgÐµt tÐ¾ chÐµck SPÐÐœ fÐ¾ldÐµr!
Associated Email addresses:
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.