Matrix has slowly evolved into a 'Swiss Army knife' of the ransomware world

The Matrix ransomware is usually deployed after cyber-criminals use unsecured RDP endpoints to compromise companies' internal networks.

Matrix, a ransomware strain first seen in late 2016, has evolved into a dangerous threat after years of slow and incremental updates and has been recently characterized as a "Swiss Army knife" in a report published today by UK-based cyber-security firm Sophos.

While initially, the Matrix authors used the RIG exploit kit to mass-distribute their ransomware in its early days, in 2016 and 2017, since early 2018, the ransomware has been exclusively spread in attacks against carefully selected high-value targets, usually by taking advantage of unprotected RDP (Remote Desktop Protocol) endpoints.

In this, the Matrix gang followed a trend in the ransomware world, where email or exploit kit-based mass distribution campaigns have died off in 2018, giving in to operations that preferred to go after individual targets in solitary attacks exploiting RDP.

In other words, Matrix is now in the same category of ransomware strains, such as the more famous SamSam, BitPaymer, and Ryuk --using hacked RDP endpoints to enter companies' networks and infect as many PCs as possible before asking for huge ransom demands.

The difference is that Matrix has not been deployed or infected the same amount of victims as the aforementioned; this being one of the reasons very few know about it, except the small circle of malware analysts.

Throughout the past few years, Sophos says it detected only 96 samples of Matrix ransomware in the wild, the ransomware receiving constant tweaks and upgrades as time went by.

"While the malware has been under continuous development and improvement while we have been monitoring it, the authors or operators of this malware do not appear to behave as professionally as, by comparison, the SamSam gang," said Luca Nagy of the Sophos Labs team.

"They have made frequent mistakes along the way, some of which have been corrected, and other features implemented then abandoned," Nagy said. "They do not always employ adequate operational security, which might be the cause of their eventual undoing."

However, even as sloppy as the Matrix devs might be, they have slowly built a pretty feature-rich ransomware strain.

"Newer variants of Matrix contain their own ability to scan the local network where they find themselves," Nagy said. "These self-contained 'Swiss Army knife' ransomware executables can use this functionality to find other potential victim computers [on the local network]."

Once the Matrix gang has infected and encrypted files on all the computers it could, the normal modus operandi is to leave a ransom note with an email address behind where victims can reach out and negotiate the ransom fee. According to Sophos, the normal ransom price is usually around $3,500, paid in Bitcoin, but sums can go up if victims show signs of being desperate to recover files.

While in the previous years, law enforcement in the US and UK have warned private companies and government entities about threats like SamSam, BitPaymer, and Ryuk through emergency security alerts, there hasn't been any FBI, DHS, or NCSC alerts about Matrix.

According to Sophos, this is because Matrix has not focused primarily on the US and UK, like other RDP-focused ransomware gangs, but has infected victims all over the globe, taking whatever it could find.

Sophos says it detected Matrix infections in the US (27.7 percent), Belgium (16.7 percent), Taiwan, Singapore, Germany, Brazil, Chile, South Africa, Canada, and the UK.

Just like most ransomware strains, Matrix also avoids infecting computers that use languages spoken in the former Soviet space. This suggests that the ransomware gang is either located in one of these countries, or they're renting Matrix on Russian-speaking hacking forums, which mandate that malware sold on their platform not infect Russian users.

Seeing that Sophos has mentioned that the Matrix gang has made several operational security (OpSec) mistakes in past variants, we might still see the day when this group is charged and may be brought to justice.

All in all, Matrix has slowly chugged along from a lowly and poorly developed ransomware strain to one of the biggest threats on the ransomware scene today, together with SamSam, BitPaymer, Ryuk, Dharma, and GandCrab.

More ransomware coverage: