Matrix Ransomware (<Original Filename>.<Original Extension> → [newrar@tuta.io].<Random>-<Random>.NEWRAR) - Videos - CheckMAL

Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Distribution Method : Unknown

MD5 : 66c7ca7b642a531ea1f9bf611ef8f42b

Major Detection Name : Trojan-Ransom.Win32.Matrix.rz (Kaspersky), Ransom-Matrix.c (McAfee)

Encrypted File Pattern : <Original Filename>.<Original Extension> → [newrar@tuta.io].<Random>-<Random>.NEWRAR

Malicious File Creation Location :
- C:\Users\%UserName%\AppData\Roaming\<Random>.bat
- C:\Users\%UserName%\AppData\Roaming\<Random>.vbs
- C:\Windows\System32\Tasks\DSHCA

Payment Instruction File : #NEWRAR_README#.rtf

Major Characteristics :
- Offline Encryption
- Reruns by adding "DSHCA" in Task Scheduler to disable system restore (vssadmin Delete Shadows /All /Quiet, wmic SHADOWCOPY DELETE, bcdedit /set {default} recoveryenabled No, bcdedit /set {default} bootstatuspolicy ignoreallfailures) for every 5 minutes.
- Changes desktop background (C:\Users\%UserName%\AppData\Roaming\<Random>.bmp)