Recently, Sangfor security team kept in track of of a new variant of Matrix ransom virus. As of now, there are networks of government sectors having infected by this virus variant. This new variant employs RSA and AES algorithms to encrypt majority of the files to PRCP files and demands for ransom. There is no ways to decrypt the files currently.

The ransom virus variant spreads through RDP brute-force attacks, scans internal hosts, encrypt shared files and prompts ransom notes, as shown in the following figure:

Sangfor has acquired all the related virus samples and figured out the solutions.

The ransom virus variant spreads through RDP brute-force attacks, scans internal hosts, encrypt shared files and prompts ransom notes, as shown in the following figure:

Sample Analysis

The ransom virus variant spreads through RDP brute-force attacks, scans internal hosts, encrypt shared files and prompts ransom notes, as shown in the following figure:

The virus variant is written in Delphi and will save encrypted data to resource directory of the program. When the virus starts to run, it attempts to open the mutex variable MutexPRCP to ensure that it is the only program could run. If that variable cannot be opened, it creates a new one.

Obtain information and upload them to C&C server:
The PRCP variant of Matrix ransom virus gets information such as language of current system, hostname, username, etc. and puts strings together in memory:

Decrypt address of C&C server in memory, as shown below:

Send host information to the address of C&C server (prcp.mygoodsday.org) and record, as shown below:

Scan disk information and display that information in output window and upload that information to C&C server again.

Generate a key and delete system backups
The PRCP variant of Matrix ransom virus generates a corresponding key through built-in RSA keys, as shown below:

And then, a .bat file is generated and disk volume shadows are deleted to make victims unable to restore data from backups, as shown below:

The variant generates VBS script which will be called by the above mentioned BAT script.

Scan local area network and encrypt network shares:
The variant generates a randomly named backup file, executes the file via parameters and then scans local area network, as shown below:

Scanning internal network shares: as shown below:


Listen To This Post

Search

Subscription

Dont Miss Our Newest Article by Subscribing to Sangfor

Related Articles

Cyber Security

Parrot TDS Infects Thousands of Websites for Targeted Malware Distribution

Date : 12 May 2022
Read Now

Cyber Security

What Is A DDOS Attack | How Does It Work | Sangfor Glossary

Date : 05 May 2022
Read Now

Cyber Security

What Is DLP (Data Loss Prevention) | Sangfor Glossary

Date : 05 May 2022
Read Now

See Other Product

Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
NGAF - Next Generation Firewall (NGFW)
Platform-X
SASE Access
icon notification