Matrix ransomware

September 8, 2018

What is Matrix

How does Matrix works

matrix virus on computer wants money  02/12/16 1

Matrix ransomware is a dangerous crypto-virus that has reappeared with many variants since the discovery at the end of 2016. The first version had a screenlocker feature but, later on, virus evolved and started to encrypt files. This ransomware uses AES and RSA encryption methods and appends various extensions, depending on the version: ., ., ..-.CORE,.FOX. Few later versions of this malware do not change files’ names and only drop #What_Wrong_With_Files#.rtf or #CORE_README#.rtf ransom note on every folder. The latest variant called Fox ransomware places #FOX_README#.rtf on the system. This is the newest version of the Matrix ransomware virus which has already managed to attack a few victims in Spain. This ransomware is spreading on devices via insecure and publicly accessible Remote Desktop Service and spam email attachments.

Matrix ransomware

Since then the developers started employing RIG exploit kit to boost distribution of this ransomware. After a couple of months, IT experts have noticed the hike in its activity again. The developers did not present much change in the overall design of the malware. The felons only added new email addresses.

Download Removal Toolto remove Matrix

The malware targets English and Russian-speaking users are the main targets. The ransom message is called matrix-readme.rtf, and it commands victims to contact scammers via provided email addresses: matrix9643@yahoo.com or redtablet9643@yahoo.com. Besides them, here is a short list of all emails currently emails associated with Matrix:

TheMatrixHasYou9643@yahoo.com noliberty9643@yahoo.com thematrixhasyou9643@yahoo.com cremreihanob1979@yandex.ru pyongyang001@yahoo.com bl4ckdr4gon@tutanota.com PabFox@protonmail.com FoxHelp@cock.li FoxHelp@tutanota.com

As soon as such malware compromises a computer, it scans for possibly important data and encodes them with AES+RSA cipher to make them inaccessible. After that, it marks them with .matrix, , or no extension.

At the beginning of April 2018, crooks released two new versions of Matrix ransomware virus, though the two differ from the previous versions in terms of design, ransom note, and other traits. According to ransomware researchers, the malware is being disseminated via hacked Remove Desktop Services (RDS) brute forcing the password. Nonetheless, it can also be dispersed in spam email attachments and fake updates.

Once the attacker installs the file extension virus, it runs multiple Command Prompt scripts and encrypts most of the personal files by attaching suffix to them. After that, it creates a !ReadMe_To_Decrypt_Files!.rtf ransom note which instructs the victim to contact developers via Files4463@tuta.io, Files4463@protonmail.ch, and Files4463@gmail.com.

Please, do NOT follow these commands! You should take care of Matrix ransomware removal right after finding encrypted files on your computer. Additionally, use data recovery options that we provided in the end of this post.

Another variant of Matrix ransomware can be recognized by the file extension . In comparison to the previous version, this one is a bit more elaborate in terms of debugging messages and cipher command. Its ransom note is named as #Decrypt_Files_ReadMe#.rtf. The victim is asked to send a unique identification number via one of the following email addresses:

Download Removal Toolto remove Matrix

RestorFile@tutanota.com RestoreFile@protonmail.com RestoreFile@qq.com

If you’re looking for Matrix decryption tool, you should know that currently there is none. It is extremely hard to decrypt files without knowing the decryption key, and that is why ransomware developers make every effort to hide it from the computer user. Typically, they keep the decryption key to in the remote hidden servers.

It would be unwise to remit the payment as there are no guarantees that the developers will play fair and return them. There are also doubts whether their decrypter will function properly. If it is a program, it may contribute to future crypto-malware hijack. Therefore, remove Matrix ransomware virus in a hurry. You can use anti-malware tools, such as or Anti-MalwareNorton Internet Security, for the ransomware elimination.

We suggest you create a backup of encrypted data and keep it safely until someone releases a free decryption tool – if you have heard about TeslaCrypt or PrincessLocker cases, you probably understand that it is possible to decrypt files once they’re encrypted; however, malware reversers need to spend a lot of time to create malware decryptors, so please be patient!

How to delete Matrix

TheMatrixHasYou ransomware. Another example of Matrix malware has emerged recently, and it seems to be similar to the initial virus version. Just like matrix9643@yahoo.com virus, it renders files into worthless pieces of data. It converts documents, photos, databases, presentations, videos, and other files that the victim keeps in the computer into junk files that take space but cannot be used in any way.

The only noticeable difference between the initial version of the ransomware and TheMatrixHasYou virus is that the latter provides different contact emails: TheMatrixHasYou9643@yahoo.com and noliberty9643@yahoo.com, and leaves information about the attack in <Victim’s ID>.MATRIX-KEY.RTF file.

This version is also still very dangerous, and there is no antidote for its poison. If your files have been encrypted, you should restore them from backup or remain patient until reverse-malware engineers discover a way to crack it and create a free decryptor. Until then, remove Matrix malware to protect your PC from additional malware.

Updated October 27, 2017. On October 2017, Matrix ransomware made a comeback. The authors continue relying on RIG exploit kit. There are no any crucial changes except a couple of new email addresses. One of them refers to North Korea’s capital Pyongyang.

The fact that the malware is placed in .saz folder suggests it may be distributed via email attachments. Fortunately, the latest version is already detectable (TR/Crypt.Xpack.vdzpt, Trojan.Ransom.Matrix, etc.) by security tools. The virus may hide in 1q0NOiyA.exe or alternative executable file.

file extension virus. This version of Matrix ransomware has been detected in the first half of April 2018. Researchers detected it spreading via hacked Remote Desktop services. It uses RSA-2048 and AES-128 encryption algorithms and creates a !ReadMe_To_Decrypt_Files!.rtf ransom note.

Download Removal Toolto remove Matrix

The note describes the current situation and contains a personal identification number, which has to be indicated in the subject line of the email and sent to one of the following addresses:

Files4463@tuta.io Files4463@protonmail.ch Files4463@gmail.com

Unfortunately, this variant does not have a free decryptor, at least not yet. Nevertheless, we do not recommend paying the ransom as it’s not clear whether the paid Matrix decryptor is reliable.

file extension virus. This Matrix ransomware version is almost identical to the previous one. Nevertheless, it has been developed in a more professional way as it uses a more complex debugging messaging and cipher commands.

It also renders RSA-2048 and AES-128 ciphers and targets personal files just like its predecessor. Upon encryption, locked files exhibit file extension. PC’s desktops background is replaced by Matrix lock screen and the victim is represented with a ransom note named #Decrypt_Files_ReadMe#.rtf. The latter can be found not only on the desktop, but also on each folder containing encrypted data.

The victim is demanded to provide a unique ID number to get payment instructions. For this purpose, they have to write down an email message and send to RestorFile@tutanota.com, RestoreFile@protonmail.com, and RestoreFile@qq.com email addresses.

The file extension is not decryptable for free.

Fox Matrix ransomware was discovered in August 2018 as the latest version of Matrix virus. The encryption process is done using AES-128 and RSA-2048 methods. Every modified file gets an extension in this pattern: ..FOX. Fox virus places a ransom note #FOX_README#.rtf, containing the instructions for further actions, on every folder that has modified data. In this note, virus developers provide contact emails: PabFox@protonmail.com; FoxHelp@cock.lt; FoxHelp@tutanota.com. It spreads while breaking through RDS.

There is no official decryption tool, so we do recommend to remove Fox Matrix ransomware using proper anti-malware tools. Only then you can focus on the important data recovery process. DO NOT contact cybercriminals and DO NOT pay the demanded ransom. This may lead to permanent data or money loss.

Receiving an urgent alert from the Federal Bureau of Investigation, National Security Agency or another legal institution is not a pleasant experience, as long it is genuine. Likewise, similar institutions inspire cyber villains to polish their hacking techniques.

The current version of Matrix malware frightens users into thinking that their computer and data have been locked due to the US law violation. The counterfeited messages claim that their devices have been blocked due to the detected content of child pornography and similar criminal activities.

It also refers to the Criminal Code to deceive users more. However, few affected netizens might check the referred article and find out the different content. Keep in mind that mentioned institutions do not urge you to pay any amount of money within a specified amount of them.

Matrix hackers expect you to remit the payment within 96 hours in order to escape life imprisonment sentence. It is not difficult to look through the deception since the crooks provide a Bitcoin address and thematrixhasyou9643@yahoo.com and cremreihanob1979@yandex.ru.

Be vigilant when reviewing the spam folder. Do not open any email attachments before verifying the sender. Hackers often leave grammar mistakes and typos in such messages. Matrix hijack is performed with the assistance of JNwpM1mu.exe executable file. It can occupy a device via HEUR/QVM10.1.0000.Malware.Gen, malicious_confidence_100% (D),TR/Crypt.Xpack.uhqit, and similar trojan horses.

Sadly, many computer users are not aware of ransomware menace so that they can become victims easily. Though spam emails remain the popular distribution method among Cerber and Locky authors, others enwrap their malware in the disguise of corrupted apps. BadRabbit virus illustrates this case.

Download Removal Toolto remove Matrix

Therefore, make sure you pay attention to what sources and what programs you download from. Avoid installing software other than official sites. pay attention to the “publisher” – it should indicate the name of the official company other than “unknown.”

Now that you know how ransomware spreads and how to avoid installing such viruses, you probably want to remove Matrix virus as soon as possible. The first question you should answer is whether you have a malware removal tool or not. If not, follow these Matrix removal guidelines to delete Matrix virus from the system for good. To eliminate it, you will need a good anti-malware software. Before you do it, reboot your PC using instructions provided below.

Now let’s discuss the ransom part. First of all, if you’re willing to pay it, do not delete the infection – do it afterward. However, we strongly recommend you not to pay the ransom. There are numerous reasons why it is not worth paying; there are insufficient possibilities that criminals will decide to give you the decryption key to unlock files.

Besides, if you paid, you would encourage scammers to keep going and creating more malware. This will cause the number of ransomware victims grow. Although it is not a direct way to fight with ransomware, it can help to lower the number of ransomware cases in general. If victims stopped paying ransoms, cybercriminals would no longer see a point to create them.

Stage 1: Delete Browser Extension

First of all, we would recommend that you check your browser extensions and remove any that are linked to Matrix. A lot of adware and other unwanted programs use browser extensions in order to hijacker internet applications.

Remove Matrix Extension from Google Chrome

  1. Launch Google Chrome.
  2. In the address bar, type: chrome://extensions/ and press Enter.
  3. Look for Matrix or anything related to it, and once you find it, press ‘Remove’.

Uninstall Matrix Extension from Firefox

  1. Launch Mozilla Firefox.
  2. In the address bar, type: about:addons and press Enter.
  3. From the menu on the left, choose Extensions.
  4. Look for Matrix or anything related to it, and once you find it, press ‘Remove’.

Delete Matrix Extension from Safari

  1. Launch Safari.
  2. Press on the Safari Settings icon, which you can find in the upper-right corner.
  3. Select Preferences from the list.
  4. Choose the Extensions tab.
  5. Look for Matrix or anything related to it, and once you find it, press ‘Uninstall’.
  6. Additionally, open Safari Settings again and choose Downloads.
  7. If Matrix.safariextz appears on the list, select it and press ‘Clear’.

Remove Matrix Add-ons from Internet Explorer

  1. Launch Internet Explorer.
  2. From the menu at the top, select Tools and then press Manage add-ons.
  3. Look for Matrix or anything related to it, and once you find it, press ‘Remove’.
  4. Reopen Internet Explorer.In the unlikely scenario that Matrix is still on your browser, follow the additional instructions below.
  5. Press Windows Key + R, type appwiz.cpl and press Enter
  6. The Program and Features window will open where you should be able to find the Matrix program.
  7. Select Matrix or any other recently installed unwanted entry and press ‘Uninstall/Change’.

Alternative method to clear the browser from Matrix

There may be cases when adware or PUPs cannot be removed by simply deleting extensions or codes. In those situations, it is necessary to reset the browser to default configuration. In you notice that even after getting rid of weird extensions the infection is still present, follow the below instructions.

Use Chrome Clean Up Tool to Delete Matrix

  1. Launch Google Chrome.
  2. In the address box, type: chrome://settings/ and press Enter.
  3. Expand Advanced settings, which you can find by scrolling down.
  4. Scroll down until you see Reset and Cleanup.
  5. Press on Clean up computer. Then press Find.

This Google Chrome feature is supposed to clear the computer of any harmful software. If it does not detect Matrix, go back to the Clean up computer and reset settings.

Reset Mozilla Firefox to Default

If you still find Matrix in your Mozilla Firefox browser, you should be able to get rid of it by restoring your Firefox settings to default. While extensions and plug-ins will be deleted, this will not touch your browser history, bookmarks, saved passwords or Internet cookies.

  1. Launch Mozilla Firefox
  2. Into the address box, type: about:support and press Enter.
  3. You will be redirected to a Troubleshooting Information page.
  4. From the menu on the right side, select Refresh Firefox.
  5. Confirm your choice by clicking Refresh Firefox in the new window.
  6. Your browser will close automatically in order to successfully restore the settings.
  7. Press Finish.

Reset Safari Browser to Normal Settings

  1. Launch Safari.
  2. Press on the Safari Settings icon, which you can find in the upper-right corner.
  3. Press Reset Safari.
  4. A new window will appear. Select the boxes of what you want to reset or use the screenshot below to guide you. Once you have selected everything, press ‘Reset’.
  5. Restart Safari.

Restore Internet Explorer to Default Settings

  1. Launch Internet Explorer.
  2. From the top menu, press on Tools and then Internet Options.
  3. In the new window that opens, choose the Advanced tab.
  4. At the bottom of the window, below Reset Internet settings, there will be a ‘Reset’ button. Press that.

While extensions and plug-ins will be deleted, this will not touch your browser history, bookmarks, saved passwords or Internet cookies.

Leave a Reply

Your email address will not be published. Required fields are marked *

*