The premise of The Matrix, that we all live in a computer simulation, may be science-fiction, but in the world of hacking, it is an equally ominous name.
It is a family of ransomware described by network and endpoint security leaders Sophos as “the Swiss Army Knife of the ransomware world”.
The malware has been operating since 2016 and Sophos has tracked 96 samples in the wild. Like previous targeted ransomware, including BitPaymer, Dharma and SamSam, the attackers who are infecting computers with Matrix have been breaking in to enterprise networks and infecting those computers over Remote Desktop Protocol (RDP), a built-in remote access tool for Windows computers. However, unlike these other ransomware families, Matrix only targets a single machine on the network, rather than spreading widely through an organisation.
SophosLabs reverse engineered the evolving code and techniques employed by the attackers, as well as the methods and ransom notes used to attempt to extract money from victims. According to its report, the Matrix criminals evolved their attack parameters over time, with new files and scripts added to deploy different tasks and payloads onto the network.
Matrix ransom notes are embedded in the attack code, but victims don’t know how much they must pay until they contact the attackers. For most of Matrix’s existence, the authors used a cryptographically-protected anonymous instant messaging service, called bitmsg.me. However, that service has now been discontinued and the authors have reverted to using normal email accounts.
The threat actors behind Matrix make their demand for cryptocurrency ransom in the form of a U.S. dollar value equivalent. This is unusual, as demands for cryptocurrency normally come as a specific value in cryptocurrency, not the dollar equivalent. It’s unclear whether the ransom demand is a deliberate attempt at misdirection, or just an attempt to surf wildly fluctuating cryptocurrency exchange rates. Based on the communications SophosLabs had with the attackers, ransom demands were for US$2,500, but the attackers eventually reduced the ransom when researchers stopped responding to demands.
Sophos says Matrix is very much the Swiss Army Knife of the ransomware world, with newer variants able to scan and find potential computer victims once inserted into the network. While sample volumes are small, that doesn’t make it any less dangerous; Matrix is evolving and newer versions are appearing as the attackers are improving on lessons learned from each attack.
In Sophos’ 2019 Threat Report, it highlighted the forecast that targeted ransomware will be driving hacker behaviour, and organisations need to remain vigilant and work to ensure they are not an easy target.
Read on for Sophos recommendations on four security measures that should be implemented immediately.