Recently, Sangfor security team kept in track of of a new variant of Matrix ransom virus. As of now, there are networks of government sectors having infected by this virus variant. This new variant employs RSA and AES algorithms to encrypt majority of the files to PRCP files and demands for ransom. There is no ways to decrypt the files currently.

The ransom virus variant spreads through RDP brute-force attacks, scans internal hosts, encrypt shared files and prompts ransom notes, as shown in the following figure:

Sangfor has acquired all the related virus samples and figured out the solutions.

The ransom virus variant spreads through RDP brute-force attacks, scans internal hosts, encrypt shared files and prompts ransom notes, as shown in the following figure:

Sample Analysis

The ransom virus variant spreads through RDP brute-force attacks, scans internal hosts, encrypt shared files and prompts ransom notes, as shown in the following figure:

The virus variant is written in Delphi and will save encrypted data to resource directory of the program. When the virus starts to run, it attempts to open the mutex variable MutexPRCP to ensure that it is the only program could run. If that variable cannot be opened, it creates a new one.

Obtain information and upload them to C&C server:
The PRCP variant of Matrix ransom virus gets information such as language of current system, hostname, username, etc. and puts strings together in memory:

Decrypt address of C&C server in memory, as shown below:

Send host information to the address of C&C server (prcp.mygoodsday.org) and record, as shown below:

Scan disk information and display that information in output window and upload that information to C&C server again.

Generate a key and delete system backups
The PRCP variant of Matrix ransom virus generates a corresponding key through built-in RSA keys, as shown below:

And then, a .bat file is generated and disk volume shadows are deleted to make victims unable to restore data from backups, as shown below:

The variant generates VBS script which will be called by the above mentioned BAT script.

Scan local area network and encrypt network shares:
The variant generates a randomly named backup file, executes the file via parameters and then scans local area network, as shown below:

Scanning internal network shares: as shown below:


Listen To This Post

Search

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

Cyber Security

Expert Tips on How to Improve Your Cyber Defense

Date : 12 Aug 2022
Read Now

Cyber Security

Ransomware Attacks in Asia on the Rise, Are You Next?

Date : 09 Aug 2022
Read Now

Cyber Security

How to Level Up Your Incident Response Plan

Date : 28 Jul 2022
Read Now

See Other Product

Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
NGAF - Next Generation Firewall (NGFW)
Platform-X
SASE Access
icon notification