A little seen, low-key ransomware dubbed Matrix has the potential to disrupt networks on a wide scale, security specialist Sophos warned in a new research report.
So far Sophos has examined less than 100 Matrix samples but it’s clear the authors are correcting their early development mistakes and steadily improving the malware, Sophos said. More to the point, Matrix seeks to plant itself inside networks, a tactic used by the SamSam ransomware used to extort millions from some 70 companies worldwide last year and disable networks in four American cities.
Matrix is delivered by a brute-force attack against the passwords for Windows machines accessible through a firewall that have the Remote Desktop Protocol (RDP) enabled, said Luca Nagy, a Sophos threat researcher who authored the report. At this point, the malware’s operators aren’t as professional as SamSam’s masterminds (last November, the U.S. Justice Department charged two Iranian nationals as SamSam’s architects), but that may be temporary. Even in the short time the security specialist has monitored the ransomware, its operatives have deleted old features and added new functionality.
For example, recent versions of the ransomware won’t fully execute if the target’s machine language settings are configured to Russian and eastern European countries. And, in some samples, the malware tried to disable the Sophos antivirus and exploit prevention technology.
“We have been continuously seeing newer versions, which indicates that the ransomware developers are actively building newer features and improving upon the lessons learned in earlier attacks,” said Nagy. Nevertheless, Matrix’s authors “do not always employ adequate operational security, which might be the cause of their eventual undoing.”
So far, the hackers have hit the U.S. (28%) more often than other regions, according to Sophos’ data. Matrix has also been found in the Americas, a few European countries, South Africa and Southeast Asia.
“While SamSam played for notoriety and large stakes, Matrix has been far more low key,” wrote Sophos principal researcher Andrew Brandt in a blog post, describing the ransomware code as a “rough first draft.” But that doesn’t mean it’s not dangerous, he said. “Unlike its more high-profile brethren, Matrix has not adopted techniques that would permit it to spread widely inside networks, where machines vulnerable to wormable exploits might be running. But the constant level of improvement indicates that may not remain the case forever,” said Brandt.