Matrix Ransomware variant called Fox searches for open IPs, renames encrypted files

(Image from Pixabay)

A security researcher MalwareHunterTeam discovered a new variant of Matrix Ransomware that can rename encrypted files, according to the report by BleepingComputer.

Computers running Remote Desktop Services (RDP) and are “openly connected to the internet” are susceptible to this newly detected ransomware. Attackers will sneak into any RDP services after going through open IP addresses. Once they have access to the computer, they will manually install the ransomware that displays various console windows that show the progress of the encryption of the computer.

BleepingComputer describes this new Matrix Ransomware as “chatty” because it uses a lot of Command and Control Server that is also used to track “the various stages of the encryption process.”

While it looks easy on paper, BleepingComputer says that deploying this ransomware could be “the most exhaustive process” because it has to ensure that files cannot be opened for encrypting. This exhaustive process is also its weakness because the encryption process is slow, “it could be easier to detect.”

The ransomware is manually installed and the encryption process of the computer can be tracked through console windows, which are used to monitor the encryption process and to see which network addresses are open.

Batch file

The attackers will deploy a full-scale batch file and will scrupulously “close all open file handles of the file it is about to encrypt. It does this by first removing all attributes from the files, changing permissions, taking ownership, and finally using a renamed version of the Handle.exe program from Sysinternals to close all open handles to the file,” the BleepingComputer reports.

The ransomware will then clean up the computer and disable its repair features, that would prevent the victim from accessing the files.

At the end of the encryption process, a random named .vbs file in the %AppData% folder will be launched that is used to register a scheduled task named DSHCA. This scheduled task is used to run a batch file with administrative privileges that will perform a cleanup of the computer and to disable various repair features.

Ransom note

It is described as exhaustive for nothing because each folder will have a ransom note that carries #FOX_README#.rtf where the victim will find the steps on how to, well, pay the ransom for the files. Fox Ransomware cannot be decrypted for free.

“The emails listed in this ransom note are,, and It also contains a Bitmessage id to contact for information as well.”

BleepingComputer offers steps on how victims can protect their files from Fox Ransomware.