The newest Matrix virus sample has been uncovered in a new attack campaign encrypting target user data with the .KOK8 extension. The continued attacks showcase that interest in this ransomware continues. Our article provides an overview of the virus operations and it also may be helpful in attempting to remove the virus.
|Short Description||The ransomware encrypts sensitive information on your computer system with the .KOK8 extension and demands a ransom to be paid to allegedly recover them.|
|Symptoms||The ransomware will encrypt your files with a strong encryption algorithm.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by Matrix virus |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Matrix virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Matrix Virus – Distribution Ways
A new sample of the Matrix ransomware family has been spotted which encrypts target files with the .KOK8 extension. We presume that like previous Matrix ransomware strains it also makes use of the typical distribution tactics.
The ongoing attack campaigns make use of SPAM email campaigns. They usually contain malicious social engineering elements that coerce the victim users into interacting with virus code. Executable files can be directly attached to the email messages or linked in their body contents.
The criminals can also construct fake download portals that utilize the same elements as legitimate vendor download pages and common portals. To redirect to them the hackers can utilize various scripts — redirects, ads, pop-ups, banners and in-line hyperlinks. To facilitate a higher number of infected hosts the associated scripts can be placed on community forums, chat rooms and etc.
All of them can be used to deliver infected payloads, there are two main types that are popular with most ransomware campaigns:
- Macro-Infected Documents — The hackers can embed virus code that can help deliver the Matrix virus in documents. All popular types are possible sources of infections: presentations, databases, text documents and spreadsheets. Once they are opened by the targets a notification message will be spawned asking them to enable the built-in content. If this is done the virus infection will follow.
- Software Installers — A similar approach is the inclusion of the malware code into installers of applications, updates and extensions. They are made by taking the legitimate files from the official vendor sites and modifying them with the payload delivery code.
The dangerous files can also be distributed on file sharing networks such as BitTorrent. They are often used to access illegal and pirate content.
Advanced cases can integrate the threat in browser hijackers (redirects) that are made for the most popular web browsers. They represent dangerous extensions that pose as useful additions and are spread on the official repositories and various third-party sites. Their typical behavior is to modify the settings of the affected web browsers and redirect the users to a hacker-specified address. After this is done the virus infection will follow.
Matrix Virus – In-Depth Analysis
The newest release of the Matrix virus is accompanied by a new .KOK8 extension. The security analysis reveals that the new strain behaves much like previous versions. The virus contains a modular engine which can be fine tuned according to the attack campaign. Custom configuration instructions can be crafted for various machines and conditions.
The infection campaigns can begin with a data harvesting module. It is programmed to collect information from the infected hosts using predefined commands. The first type of data that is collected can expose the victim’s identity by looking for certain strings. Examples include their name, address, phone number, interest, location and any stored account credentials. The other group of information is the collection of data that can help grow the ongoing attacks. The metrics includes certain values such as the installed hardware components, user-set settings and operating system conditions.
Follow-up operations using the collected information is the stealth installation of the Matrix ransomware. This means that it will scan the contaminated system for applications and services that can interfere with the correct malware execution. This includes anti-virus products, sandbox environments and virtual machine hosts.
Following the threat’s deployment without interruption the Matrix virus will continue with various system changes. The list of possible actions includes the following:
- Windows Registry Changes — The virus engine has the ability to access the Windows Registry — existing strings belonging to the operating system or user-installed applications or create new ones for itself. The impact of the modifications can lead to severe performance issues or the inability to access certain functions.
- Persistent Installation — The malware threat can be installed in a way which automatically will start once the computer is powered on. It can also disable access to the recovery boot menu.
- Data Manipulation — The associated engine can remove System Restore points and Shadow Volume Copies information which can make data recovery difficult. Refer to our instructions for more information on the matter.
- Trojan Horse Delivery — This threat can install a Trojan virus which establishes a secure connection with a hacker-controlled server. It can be used by the operators to take over control of their machines at any given time, acquire any user file, spy on the users and deploy other viruses.
Matrix Virus — Encryption
Like previous Matrix ransomware family samples this particular threat uses a built-in list of target file types. They are processed with a strong cipher and made inaccessible by the users. An example list can include any of the following:
The affected files are renamed with the .KOK8 extension. This is the final extension as the data is renamed according to the following template: “[KOK8@protonmail.com].[random]-[random].KOK8”. A standard ransomware template is crafted in a file called #KOK8_README#.rtf.
Remove Matrix Virus and Restore Encrypted Files
If your computer system got infected with the Matrix Virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.