A report published by the U.K.-based cybersecurity firm Sophos has shed more light on Matrix, a ransomware strain that continues to evolve since it was first seen in 2016. Sophos says that the growth of the virus has reached dangerous levels after years of mutations and incremental updates.
Matrix has been known to leverage a RIG tool kit to infect as many computers as possible. However, as of 2018, the ransomware was reported to spread attacks on specific high-value targets, often via remote desktop protocols (RDP) endpoints for Windows computers.
Sophos has tracked 96 samples in the wild as of this writing. Similar to previous targeted ransomware such as BitPaymer, SamSam, and Dharma, the attackers who have been illegally using the malware to infect computers have been targeting enterprise networks. Unlike other ransomware viruses, Matrix only needs to infect one machine in a network rather than spreading through an organization.
“While the malware has been under continuous development and improvement while we have been monitoring it, the authors or operators of this malware do not appear to behave as professionally as, by comparison, the SamSam gang. They have made frequent mistakes along the way, some of which have been corrected, and other features implemented then abandoned. They do not always employ adequate operational security, which might be the cause of their eventual undoing.” said Luca Nagy of the Sophos Labs team.
Sophos further notes that Matrix’s ransom demands are hidden in the code, as victims hardly know how much they must pay until they liaise with intruders. Also, similar to other attacks, Matrix makes demands for cryptocurrency ransom in the form of US$ value equivalent.
“Matrix is very much the Swiss Army Knife of the ransomware world, with newer variants able to scan and find potential computer victims once inserted into the network. While sample volumes are small, that doesn’t make it any less dangerous; Matrix is evolving, and newer versions are appearing as the attacker are improving on lessons learned from each attack,” reads a statement from Sophos.
Recommendations
Sophos suggests that remote access apps such as RDP should not be used unless it is absolutely necessary. Secondly, Sophos is advising organizations to perform complete and regular vulnerability scans and penetration tests across a network. Also, multi-factor authentication for sensitive internal systems, even for employees on the LAN or VPN should be enforced. Lastly, Sophos advises firms to create offline and offsite backups, as well as develop disaster recovery plans to recover and restore data.
