Ransomware evolving as attackers learn from attacks

A new report on Matrix — a low targeted ransomware has revealed that the ransomware is evolving and newer versions are appearing as the attacker are improving on lessons learned from each attack.

The malware has been operating since 2016, the attackers who are infecting computers with Matrix have been breaking in to enterprise networks and infecting those computers over Remote Desktop Protocol (RDP), a built-in remote access tool for Windows computers.

But unlike these other ransomware families, Matrix only targets a single machine on the network, rather than spreading widely through an organization.  

Matrix is very much the Swiss Army Knife of the ransomware world, with newer variants able to scan and find potential computer victims once inserted into the network.

SophosLabs

Matrix ransom notes are embedded in the attack code, but victims don’t know how much they must pay until they contact the attackers. For most of Matrix’s existence, the authors used a cryptographically-protected anonymous instant messaging service, called bitmsg.me, but that service has now been discontinued and the authors have reverted to using normal email accounts.

The threat actors behind Matrix make their demand for cryptocurrency ransom in the form of a U.S. dollar value equivalent. This is unusual as demands for cryptocurrency normally come as a specific value in cryptocurrency, not the dollar equivalent.

It’s unclear whether the ransom demand is a deliberate attempt at misdirection, or just an attempt to surf wildly fluctuating cryptocurrency exchange rates.

Based on the communications SophosLabs,  global leader in network and endpoint security, had with the attackers, ransom demands were for US$2,500, but the attackers eventually reduced the ransom when researchers stopped responding to demands.

“Matrix is very much the Swiss Army Knife of the ransomware world, with newer variants able to scan and find potential computer victims once inserted into the network,” SophosLabs stated.

The following security measures have been recommended: Restrict access to remote control applications such as Remote Desktop (RDP) and VNC; and complete, regular vulnerability scans and penetration tests across the network.

Other measures include Multi-factor authentication for sensitive internal systems, even for employees on the LAN or VPN; and creating back-ups that are offline and offsite, and develop a disaster recovery plan that covers the restoration of data and systems for whole organizations, all at once.

Exit mobile version