New Matrix Ransomware Malvertising Campaign Detected

A new Matrix ransomware malvertising campaign has been detected. The campaign uses malicious adverts to direct users to a site hosting the Rig exploit kit. Flash and IE vulnerabilities are exploited to download the malicious file-encrypting payload. The new Matrix ransomware malvertising campaign was detected by security researcher Jérôme Segura.

Matrix ransomware is not a new threat, having first been detected in late 2016. The ransomware variant was used in campaigns at the start of the year, although as the year progressed, use of Matrix ransomware has been limited. However, the threat is back with a new malvertising campaign that uses the Rig exploit kit to probe for two unaddressed vulnerabilities: one in Internet Explorer – CVE-2016-0189 – and one in Flash Player – CVE-2015-8651.

If a user clicks on one of the malicious adverts used in this campaign, and they have not applied the patches to correct either of the above vulnerabilities, Matrix ransomware will be silently downloaded onto their computers. Matrix ransomware uses RSA-2048 encryption to lock files, and at present, there is no free decryptor available to recover files encrypted by Matrix ransomware. Any user infected with the ransomware will face permanent file loss if they do not have a viable backup, unless they agree to pay the ransom. Infected files have the file names scrambled and the .pyongyan001@yahoo.com extension added.

Infection will see a ransom note displayed which warns the user that their files have been encrypted as a result of their computer being used to view pornographic images, images of child abuse, zoophilia, and child pornography.  Users are given 96 hours to pay the ransom demand, although the attackers claim the ransom will be increased automatically every 6 hours.

Most ransomware attacks occur via email using malicious attachments and increasingly, malicious URLs. The use of exploit kits to deliver ransomware has fallen considerably, dropping to around 10% of the number of attacks seen at the peak of EK activity in 2016. This latest campaign, and others that have recently been detected delivering other ransomware variants, show that the threat of EK and malvertising attacks has certainly not gone away.

Fortunately, protecting against these attacks is straightforward. By ensuring computers are patched, users will be protected. In this case, the exploits being used are for vulnerabilities that were patched in 2016 and 2015. However, since exploits for newer vulnerabilities – and zero-day vulnerabilities – could easily be added to exploit kits, additional protections should be employed. A web filter is a valuable additional security protection that can block malvertising redirects and prevent users from visiting malicious sites.

To ensure recovery is possible from any ransomware installation, it is essential to ensure viable backups of files exist and stored securely. Multiple backups of files should be made, and those backups should be stored on at least two different media, with one backup copy stored securely off site.

Author: NetSec Editor