Researchers Discovered New Variant of Matrix Ransomware Named Fox Ransomware

A new variant of Matrix ransomware named Fox ransomware found renaming encrypting files and appending .FOX extension to the file name

A new variant of Matrix ransomware named Fox ransomware found renaming encrypting files and appending .FOX extension to the file name. The new variant was discovered by security researchers at MalwareHunterTeam. The ransomware is installed through computers running remote desktop services. The attacker scan ranges of IP addresses to find open RDP services and then brute force the password. Then manually install the ransomware on the victim’s device and displays console windows that show the status of the encryption process helping attackers to monitor it. Like the previous version of Matrix ransomware, the new variant also communicates a lot with its command and control server.

Analysis of Fox Ransomware

Once installed the ransomware will connect with its command and control server and it also keeps a log of various stages of the encryption process. There will be two console windows opened in which first one displays show the status of the encryption process and the second one displays network addresses that were scanned for open shares.

    Encryption Status Console                                              Network Drives Console

Then the ransomware drop a batch file which tries to close all open file handles of the file it is about to encrypt. The ransomware tries to close all open file handles by first removing all attributes from the files hanging then change permissions after that it take ownership and lastly rename Handle.exe program from Sysinternals. In the file encryption process, the Fox ransomware will first execute the above batch file on it and only after that it will encrypt the file. After encryption, it will rename the file and append it with .FOX extension.

Source: Bleeping Computer

A ransom note named #FOX_README#.rtf will also be created in each folder. The ransom note contains instruction for payment in which users are asked to send a message to the 3 emails listed in the ransom note which are [email protected], [email protected], and [email protected]. The ransomware also changes the desktop background to a picture which shows some parts of the ransom note. In the final step, a random named .vbs file in the %AppData% folder will be executed which deleted shadow volume copies using WMIC, PowerShell, and vssadmin and also remove the windows recovery startup, delete the VBS file. As of now, the encrypted files cannot be decrypted for free. There is a possibility that the victims can detect the infection before the process is fully completed because of the slow encryption process of the ransomware as it tries to close all file handles associated with the file it is trying to encrypt

Always follow these basic instructions to protect yourself from any ransomware attack:

• Perform regular backups. Ideally, this data should be kept on a separate device, and backups should be stored offline
• Maintain updated Antivirus software for all systems
• Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited email, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.
• Keep the operating system and third-party applications (MS office, flash player, browsers, browser Plugins) up-to-date with the latest patches.

You may be interested in reading: Two New Variants of Matrix Ransomware are Spreaded through Hacked Remote Desktop Services