Ransomware Has a Swiss Army Knife Called Matrix

Matrix is elevating ransomware to a new level of sophistication.

According to a Sophos report, the malware has been operating since 2016 with 96 samples “in the wild.”

It follows previously targeted ransomware like BitPaymer, Dharma and SamSam by infecting computers using remote desktop protocol (RDP) to access enterprise networks.

However, this is where the similarities end.

Unlike its peers, Matrix targets a single machine on the network and does not propagate through an organization, making it difficult to detect patterns or identify suspicious victim behavior.  

SophosLabs was able to discover Matrix by reverse engineering the code, techniques and ransom notes. It noted that Matrix users evolved their "attack parameters over time," adding new files and scripts for different tasks and payloads.

According to the report, Matrix ransom notes are embedded in the attack code, “but victims don't know how much they must pay until they contact the attackers.” 

Like other ransomware, the ransom request is in the form of cryptocurrencies. However, unlike the rest, it is in the way of a U.S. dollar value equivalent, which Sophos sees as unusual as demands for cryptocurrency normally come as a specific value in cryptocurrency, not the dollar equivalent.

According to a press announcement, Sophos noted that “it's unclear whether the ransom demand is a deliberate attempt at misdirection, or just an attempt to surf wildly fluctuating cryptocurrency exchange rates.”

Sophos sees Matrix as the Swiss Army Knife of the ransomware world, “with newer variants able to scan and find potential computer victims once inserted into the network.”

Sample volumes are still small, but newer versions are coming online as attackers improve their lessons learned from each attack.