Videos

Check out our video libray AppCheck defending aginst newest ransomware

Matrix Ransomware (<Original Filename>_[RELOCK001@TUTA.IO].<Original Extension>)

  • Distribution Method : Automatic infection using exploit by visiting website
 
  • MD5 : c97075cf1f28b322da460adfd404310f
 
  • Major Detection Name : Trojan/Win32.Matrixran.R211995 (AhnLab V3), Ransom_MATRIX.FQN (Trend Micro)
 
  • Encrypted File Pattern : <Original Filename>_[RELOCK001@TUTA.IO].<Original Extension>
 
  • Malicious File Creation Location :
         - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\<Random>.lnk
         - C:\Users\%UserName%\AppData\Local\Microsoft\<Random>.exe
         - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<Random>.lnk
         - C:\Users\%UserName%\AppData\Roaming\Microsoft\<Random>.exe
         - C:\Users\%UserName%\AppData\Roaming\<Random Folder>
         - C:\Users\%UserName%\AppData\Roaming\<Random>\<Random>.cmd
         - C:\Users\%UserName%\AppData\Roaming\<Random>\<Random>.exe
         - C:\Users\%UserName%\AppData\Roaming\<Random>.pek
         - C:\Users\%UserName%\AppData\Roaming\<Random>.sek
         - C:\Users\%UserName%\AppData\Roaming\<Random>.vbs
 
  • Payment Instruction File : !OoopsYourFilesLocked!.rtf / !OoopsYourFilesLocked!1.rtf ~ !OoopsYourFilesLocked!30.rtf
 
  • Major Characteristics :
         - Offline Encryption
         - Change the default values of the registry entry "HKEY_CLASSES_ROOT\mscfile\shell\open\command" and a ransomware execution using Event Viewer (eventvwr.exe)
         - Disable system restore (vssadmin.exe delete shadows /all /quiet)
         - Changes desktop background (C:\Users\%UserName%\AppData\Roaming\<Random>.jpg)

Go to List

Please upgrade your web browser for better website experience.

위로