Security firm Sophos said it was able to track 96 samples from malware that has been operating since 2016 and comes from the Matrix ransomware family. The ransomware is infecting computers using Remote Desktop Protocol (RDP), a built-in remote access tool for Windows computers similar to the likes of BitPaymer, Dharma, and SamSam.
Its difference from the abovementioned ransomware is “Matrix only targets a single machine on the network, rather than spreading widely through an organization.”
SophosLabs dealt the ransomware by reverse engineering the evolving code and techniques the attackers have employed such as deploying different tasks and payloads onto the network using new files and scripts.
“Matrix ransom notes are embedded in the attack code, but victims don’t know how much they must pay until they contact the attackers,” Sophos explained in its media release. “For most of Matrix’s existence, the authors used a cryptographically protected anonymous instant messaging service, called bitmsg.me, but that service has now been discontinued and the authors have reverted to using normal email accounts.”
The firm also said the threat actors demand cryptocurrency ransom in the form of a US dollar value equivalent. It finds this demand “unusual” because the firm notes that cryptocurrency normally come as a specific value in cryptocurrency, not the dollar equivalent.”
Sophos researchers suspect that the demand is either a deliberate attempt at misdirection or just an attempt to surf wildly fluctuating cryptocurrency exchange rates.”
Based on the communications SophosLabs had with the attackers, ransom demands were for $2,500, but the attackers eventually reduced the ransom when researchers stopped responding to demands.
Matrix constantly comes in new variants that can scan and find victims once it was able to penetrate into the network. The firm warns that the sample volumes it discovered may be significantly small compared to its previous researches but “that doesn’t make it any less dangerous; Matrix is evolving and newer versions are appearing as the attacker are improving on lessons learned from each attack.”
This discovery is aligned to the Sophos 2018 Threat Report saying that targeted ransomware will be alive and kicking and that it will drive hacker behavior which should make organizations be more vigilant and work to ensure they are not an easy target.
Sophos recommends implementing the following four security measures immediately:
- Restrict access to remote control applications such as Remote Desktop (RDP) and VNC
- Complete, regular vulnerability scans and penetration tests across the network; if you haven’t followed through on recent pen-testing reports, do it now. If you don’t heed the advice of your pentesters, the cybercriminals will win
- Multi-factor authentication for sensitive internal systems, even for employees on the LAN or VPN
- Create back-ups that are offline and offsite, and develop a disaster recovery plan that covers the restoration of data and systems for whole organizations, all at once