Malwarebytes security researcher Jérôme Segura discovered the malware which was first released in late 2016, the researcher tweeted.
The ransomware had all but disappeared from the threat landscape but appears to have resurfaced. Matrix is able to spread outside of the originally infected machine via Windows shortcuts and uploads back to the C2 server stats about the types of files that are encrypted. The malware also issues updates to inform its server how far along in the process it is.
Segura said the ransomware is being installed through exploit kits which target vulnerabilities in Internet Explorer (CVE-2016-0189) and Flash (CVE-2015-8651).
Both vulnerabilities have since been patched in recent Windows and Flash updates. Matrix ransomware scramble's file names and attaches the .email@example.com extension to the encrypted files name. The malware also leaves notes labeled #_#WhatWrongWithMyFiles#_#.rtf in files that have been encrypted.
Users should ensure they always backup their files, not open malicious attachments, ensure all their systems are up to date, use strong passwords, and use some type of security software to prevent infections.
Malvertising attacks are easier to carry out than some IT/security professionals may realise. This should prompt more organisations to embrace security-by-design and continuously monitor websites and mobile apps in order to know the moment it is compromised, Chris Olson, CEO of The Media Trust said.
“The process to deliver customised, browser-rendered content - use of behaviour profiles to recommend user-specific content - is the same one leveraged by bad actors to target their campaigns,” Olson said. “And, traditional security tools - blacklists, whitelists, generic threat intelligence, AVs, web filters and firewalls - are proving to be inadequate defences.”
He added that the internet is a complex, highly-dynamic environment that requires a specialised approach to secure it.