A new Matrix ransomware malvertising campaign has been detected by security researcher Jérôme Segura. The campaign employs malicious adverts to send users to a site hosting the Rig exploit kit. Flash and IE weaknesses are exploited to install the malicious file-encrypting payload.
The Matrix ransomware is not a threat that hasn’t been seen before, having first been experienced in late 2016. The ransomware variant was used in campaigns at the beginning of the year, although as the year went on, use of Matrix ransomware has been restricted. However, the threat has returned with a new malvertising campaign that uses the Rig exploit kit to probe for two unaddressed weaknesses: one in Internet Explorer – CVE-2016-0189 – and one in Flash Player – CVE-2015-8651.
If a user clicks on one of the malicious adverts used in this ransomeware campaign, and they have not applied the patches to address either of the above weaknesses, Matrix ransomware will be silently installed on their computers. Matrix ransomware uses RSA-2048 encryption to lock files, and currently, there is no free decryptor available to recover files encrypted by Matrix ransomware. Any user infected with the ransomware could experience permanent file loss if they do not have a viable backup, unless they are willing to pay the ransom. Infected files have the file names scrambled and the .pyongyan001@yahoo.com extension added.
Infection will see a ransom note displayed which advises the user that their files have been encrypted due to their computer being used to view pornographic images, images of child abuse, zoophilia, and child pornography. Users are given a period of 96 hours to pay the ransom demand, although the hackers claim the ransom will be increased automatically every 6 hours.
Most ransomware attacks are launched via email using malicious attachments and on a growing basis, malicious URLs. The use of exploit kits to send ransomware has fallen significantly, dropping to around 10% of the number of attacks witnessed at the peak of EK activity in 2016. This most recent campaign, and others that have recently been seen delivering other ransomware variants, show that the danger of EK and malvertising attacks has certainly not disappeared.
Fortunately, safeguarding against these attacks is relatively simple. By ensuring computers are patched, users will be safeguarded. In this instance, the exploits being used are for vulnerabilities that were patched in 2016 and 2015. However, since exploits for newer vulnerabilities – and zero-day vulnerabilities – could simply be added to exploit kits, additional protections should be implemented. A web filter is an important additional security protection that can block malvertising redirects and stop users from going to malicious sites.
To ensure recovery is possible from any ransomware installation, it is vital to make sure viable backups of files exist and stored safely. Multiple backups of files should be made, and those backups should be kept on at least two different media, with one backup copy kept safely off site.
