In its 2019 Threat Report, Sophos predicted a rise in targeted ransomware attacks. According to new research, Matrix, a copycat targeted ransomware that is flying under the radar, is one such threat that has been observed targeting single machines.
The recent ransomware report, published by SophosLabs, identifies brute-force attacks on weak remote desktop protocols (RDP) as the common thread between various strains of targeted ransomware, including Matrix, BitPaymer, Dharma, SamSam and Ryuk.
Matrix doesn't spread through an organization like SamSam, however. “The attackers’ ransom demands are not embedded within the ransom note. Atypically, the threat actors require victims to contact them first, and submit some of the encrypted files from the victim’s computer, and only then provide the victims with a Bitcoin address and the ransom amount,” the report said.
Though not as sophisticated as more popular attacks, Matrix comes equipped with additional tools that help it to carry out its attack.
“The malware executable bundles within itself several payload executables it needs to accomplish its tasks. It uses RDP within the networks it has infected once it has gained a foothold inside the network. Among the embedded components are some free, legitimate systems administrator tools the malware uses to achieve some of its goals,” the report said.
Interestingly, the malware authors seem to lack a level of professionalism notable in other malware authors, such as those who penned SamSam. With Matrix, researchers have seen several changes and mistakes during their monitoring of 96 samples of the malware. In some cases, the authors completely abandoned features that they had experimented with.
Also, the malware doesn’t seem to have a particular geographical distinction. “The country where the most customers encountered the malware was the United States (27.7% of Matrix detections came from the U.S.), followed by Belgium (16.7% of the detections),” the report said, but it has also been detected on machines in Taiwan, Singapore, Germany, Brazil, Chile, South Africa, Canada, and the UK.
The researchers reportedly played the role of a victim and contacted the malicious actors who demanded they pay that day's value of a Bitcoin and refrain from asking "stupid questions." However, "the authors' initial sassy attitude eventually morphed to a kind of desperation, as they continued to email us and dropped their ransom demand by nearly a third after we stopped responding to their messages."