Two New Variants of Matrix Ransomware are Spreaded through Hacked Remote Desktop Services

Necurs Botnet

Researchers discovered two new variants of Matrix ransomware which are being installed through hacked Remote Desktop Services.

According to MalwareHunterTeam both, the variants are currently distributed by brute forcing passwords remote desktop services which are directly connected to the internet.

The first variant which identified by the [] extension is less advanced when compared to other one. While running this variant will open two windows showing the status of encryption and network share scanning at the same time.

After encryption, the files will be appended with a [] extension to it. A ransom note named !ReadMe_To_Decrypt_Files!.rtf  will be added to each folder.

The ransom note contains details of the encryption and victims are asked to contact the following email address,, and to pay the ransom amount and restore their files.

In the ransom note, it is also mentioned that victims are allowed to send three files for free decryption. The variant also changes desktop background image to the below image:

The second variant is identified by the [] extension is more advanced than the first variant. This variant uses more debugging messages and uses the cipher to wipe free space.

Although the operation is similar to the previous one, it uses the different contact email address, extensions and ransom note.

In this variant, files are encrypted and appended with a [] extension to it, and a ransom note named #Decrypt_Files_ReadMe#.rtf  are added to each folder.

The contact email address for making the ransom payment and restore the files for this variant are,, and

After encryption, this variant will execute a “cipher.exe /w:c” command to overwrite all the free space on C drive to avoid victim from installing fire recovering tool to recover the files.

In this variant also the desktop background image is changed to the below image:

How to prevent yourself from the Matrix Ransomware:

  • Perform regular backups. Ideally, this data should be kept on a separate device, and backups should be stored offline
  • Maintain updated Antivirus software for all systems
  • Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited email, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.
  • Keep the operating system and third-party applications (MS office, flash player, browsers, browser Plugins) up-to-date with the latest patches



Please rate this content