- The ransomware encrypts files using AES-128 and RSA-2048 crypto algorithms.
- To complete the process, the malware creates a ransom note named #FOX_README#.rtf in each folder that contains the encrypted files.
A new version of the Matrix ransomware has been uncovered by security researcher MalwareHunterTeam. Dubbed as Fox Matrix, the ransomware is distributed via computers running on publicly accessible Remote Desktop Services (RDS).
To initiate the attack, hackers scan a range of IP addresses to find open RDS services and then use brute force to break the password. Once they have gained access to the computer, they can manually install the ransomware which eventually, encrypts the files on the victim’s computer and then appends them with .FOX extension. The files are encrypted using AES-128 and RSA-2048 crypto algorithms.
After execution, Fox Matrix behaves like the Matrix ransomware. It connects to the Command & Control server and begins to register several stages of an encryption process, Bleeping Computer reported.
Apart from communicating with C2 server, the ransomware also displays two console windows that provide status updates on the encryption process to the hackers. The first console window shows the status of the encryption process, while the other window displays the scanned network addresses.
To complete the process, the malware creates a ransom note named #FOX_README#.rtf in each folder that contains the encrypted files. The note contains instructions for the victims on how to make the ransom payment.
As of now, there is no decryption key available to decrypt the files encrypted by Fox Matrix. However, the good news is that the Fox Matrix ransomware takes a longer time to encrypt the files. This in a way, could allow a user to protect his/her computer before the infection process is fully completed.