Two new Matrix Ransomware variants were discovered this week by MalwareHunterTeam that are being installed through hacked Remote Desktop services. While both of these variants encrypt your computer’s files, one is a bit more advanced with more debugging messages and the use of cipher to wipe free space.
Based on the debugging messages displayed by the ransomware when it is executed and the various reports in the BleepingComputer forums, this ransomware is currently being distributed to victims by the attackers brute forcing the passwords of Remote Desktop services connected directly to the Internet. Once the attackers gain access to a computer, they upload the installer and execute it.
Currently, there are two different Matrix variants being distributed at this time. Both variants are being installed over hacked RDP, encrypt unmapped network shares, display status windows while encrypting, clear shadow volume copies, and encrypt the filenames. There are, though, some slight differences between the two variants, with the second one ([RestorFile@tutanota.com]) being a bit more advanced.
These differences are described below.