Two new Matrix Ransomware variants, which encrypt computer files, have been recently discovered and, unfortunately, neither one can’t be decrypted for free.
According to a report from Bleepingcomputer.com, two new Matrix Ransomware variants have been discovered by MalwareHunterTeam last week, the [Files4463@tuta.io] and the [RestorFile@tutanota.com], with the second one being a bit more advanced with more debugging messages and the use of the cipher command to wipe free face.
Both new Matrix Ransomware variants are being installed through hacked Remote Desktop services by brute forcing the passwords. One the attackers gain access the installer is uploaded and executed. According to the report, both are being installed over hacked RDP, encrypt unmapped network shares, display status windows while encrypting, clear shadow volume copies, and encrypt the filenames.
According to the same report, the first variant, identified by the [Files4463@tuta.io] extension is less advanced and encrypts files as well as adds a ransom note named !ReadMe_To_Decrypt_Files!.rtf in each folder that is scanned. This same variant also changes the desktop background image.
The second variant, identified by its use of the [RestorFile@tutanota.com] extension, is a bit more advanced as it comes with better debugging messages and uses the cipher command to overwrite all free space on the computer after the encryption is done. It also encrypts and renames the files as well as drops a similar ransom note and changes the desktop background image. Since it uses the cipher.exe command to overwrite the free space on the C: drive, it prevents the victim to use the file recovery tools.
Unfortunately, both variants can’t be decrypted for free but there are certain ways to protect your system from these and other Matrix Ransomware variants. You have to be sure that Remote Desktop services are locked down correctly, and, as always, there is plenty of security software that can prevent such infections.
As always, backup is also an important step to protect from any attack, suspicious attachments should never be opened, and all security Windows updates should be installed.