W32/Matrix.2FFD!tr.ransom

description-logoAnalysis

W32/Matrix.2FFD!tr.ransom is a detection for a Ransomware Matrix trojan.
Below are some of its observed characteristics/behaviours:

  • Different variants of this ransomware may drop different files from the following file(s) on the infected system:
    • %CurrentPath%\xxxxxxxx.exe : This file is a copy of the original malware itself, where x is any alphanumeric character.
    • %Appdata%\xxxxxxxx.bmp : This picture file will serve as ransom notes. Where x is any alphanumeric character.
    • %Appdata%\xxxxxxxxxxxxxxxx.jpg : This picture file will serve as ransom notes. Where x is any alphanumeric character.
    • %Appdata%\xxxxxxxx.bat : This batch file has commands to delete the Shadow Volume copies on the infected system in quiet mode. It sets the infected system up to ignore failures on future boots and disable an automatic repair effort.
    • %Appdata%\xxxxxxxx.vbs : This VBS file creates task to run %Appdata%\xxxxxxxx.bat file every five minutes.
    • %Currentpath%\[UID].pek : This text file is non malicious data file.
    • %CurrentPath%\[UID].sek : This file is non malicious data file.
    • %CurrentPath%\ErrLog.txt : This text file shows the error for the files that Ransomware failed to encrypt.
    • %CurrentPath%\Keyids.txt : This text file shows the UID of the user.
    • %CurrentPath%\KEYIDS.KLST : This text file shows the UID of the user and total number and size of the files on the user's system.
    • %CurrentPath%\bad_[UID].txt : This text file shows the list of files that the Ransomware failed to encrypt.
    • %CurrentPath%\elog_[UID].txt : This text file shows the error for the files that the Ransomware failed to encrypt.
    • %CurrentPath%\LFIN_[UID].txt : This text file shows the summary of encrypted files, files that Ransomware failed to encrypt and total number of files. This file also shows the identifier for the user.
    • %CurrentPath%\log.txt : This text file shows the identifier for the user and total number of files in local drives.
    • %CurrentPath%\xxxxxxxx.bat : This batch file attempts to close all open handles of the file that Ransomware is about to encrypt. It first removes all the attributes from the file, alters permission and takes ownership. After then, it closes the handles of file using renamed version of handle.exe process from Sysinternals. Where x is any alphanumeric character.
    • %Currentpath%\[Public_IP]_log.txt : This text file shows the User identifier. It runs the powershell command to connect to hxxps://myexternalip[.]com/raw to obtain the Public IP of the system.
    • [Readme_File] : This file is dropped all over the affected hosts drives and will serve as ransom notes. Different variants of this Ransomware drop this file under following different file names:
      • !ReadMe_To_Decrypt_Files!.rtf
      • T0_Rec0ver_Files_ReadME.rtf
      • !ReadMe_To_Decrypt_Files!.rtf
      • #Decrypt_Files_ReadMe#.rtf
      • !README_KOK08!.rtf
      • !README_CHRB!rtf
      • #FOX_README#.rtf


  • This Ransomware also changes desktop backgrounds to ransom notes using %AppData%\xxxxxxxx.bmp or %Appdata%\xxxxxxxxxxxxxxxx.jpg .

  • Affected victims of this Ransomware are directed by the attacker via:
    • Files4463@tuta.io
    • Files4463@protonmail.ch
    • Files4463@gmail.com
    • barboza40@tutanota.com
    • barboza40@yahoo.com
    • Linersmik@naver.com
    • Jinnyg@tutanota.com
    • Loder903@yahoo.com
    • barboza40@yahoo.com
    • RestorFile@tutanota.com
    • poluz@tutanota.com
    • poluz9@naver.com
    • poluz9@yahoo.com
    • RestorFile@tutanota.com
    • RestoreFile@protonmail.com
    • RestoreFile@qq.com
    • oken@tutanota.com
    • oken5@naver.com
    • oken80@yahoo.com
    • Yourencrypt@tutanota.com
    • Yourencrypt@gmail.com
    • Yorencrypt@protonmail.com
    • KOK08@QQ.COM
    • KOK08@protonmail.com
    • KOK8@tutanota.com
    • RecoveryData1@cock.li
    • RecoveryData1@protonmail.com
    • PabFox@protonmail.com
    • FoxHelp@cock.li
    • FoxHelp@tutanota.com

  • This Ransomware connects to the following remote domains:
    • blushing-gasket[.]000webhostapp[.]com
    • murik[.]xyz
    • murikos[.]in
    • jostat[.]mygoodsday[.]org
    • tstat[.]mygoodsday[.]com
    • fredstat[.]000webhostapp[.]com

  • Affected files of this Ransomware uses the different filenaming formats as given below,Where X is any alphanumeric character :
    • XXXXXXXX-XXXXXXXX.[RestorFile@tutanota.com]
    • XXXXXXXX-XXXXXXXX.[RestoreFile@qq.com]
    • XXXXXXXX-XXXXXXXX.[oken@tutanota.com]
    • XXXXXXXX-XXXXXXXX.[Yourencrypt@tutanota.com]
    • XXXXXXXX-XXXXXXXX.[Files4463@tuta.io]
    • [KOK08@QQ.COM].XXXXXXXX-XXXXXXXX.KOK08
    • [RecoveryData1@cock.li].XXXXXXXX-XXXXXXXX.CHRB
    • [PabFox@protonmail.com].XXXXXXXX-XXXXXXXX.FOX

  • Most variants of this Ransomware, opens two command windows on running. One command window shows the status of the encryption process whereas the other one shows information related to network share scan. It may attempt to connect to the shared drives within the same internal network. This works by searching for remote workstations within the same internal network by running an incremental ARP scan of range of networks.

  • Also this Ransomware may send the computer name, user name and status of encryption to its C&C server as shown in Figure 4.

  • Some variants of this Ransomware were also observed to affect/encrypt files located on shared drived within the same subnet.

  • This malware may apply any of the following registry modification(s):
    • HKCU\Software\Microsoft\Windows\Currentversion\Run
      • README = wordpad.exe ![Readme_File]
      This automatically executes the dropped file every time the infected user logs on.
    • HKLM\Software\Microsoft\Windows\Currentversion\Run
      • README = wordpad.exe ![Readme_File]
      This registry corresponds to an autostart pointed out by windows for every restart of the host machine.

  • Below is an illustration of the Ransomware effects:

    • Figure 1: CMD display of Ransomware.


    • Figure 2: %Appdata%\xxxxxxxx.bmp.


    • Figure 3: Ransom notes.


    • Figure 4: Network Traffic .


    • Figure 5: %Appdata%\xxxxxxxx.bat file .


    • Figure 6: %Appdata%\xxxxxxxx.vbs file.


    • Figure 7: %CurrentPath%\xxxxxxxx.bat file.


    • Figure 8: %CurrentPath%\bad_[UID].txt file.


    • Figure 9: %CurrentPath%\elog_[UID].txt file.


    • Figure 10: %CurrentPath%\LFIN_[UID].txt file.


    • Figure 11: %CurrentPath%\Keyids.txt file .


    • Figure 12: Ransom notes file.


    • Figure 13: Ransom notes file.


recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2020-10-23 81.30100 Sig Updated
2019-05-03 68.25100 Sig Updated
2019-05-03 68.24700 Sig Updated
2019-02-26 66.67500 Sig Updated
2019-02-22 66.57700 Sig Updated
2019-02-22 66.57500 Sig Updated
2019-02-22 66.57400 Sig Updated