What is Matrix Ransomware?
Matrix is a ransomware family that first emerged in December 2016, mainly targeting small to medium-sized organizations across the globe in countries including the US, Belgium, Germany, Canada and the UK [1]. Although the reported number of Matrix ransomware attacks has remained relatively low in recent years, it has demonstrated ongoing development and gradual improvements to its tactics, techniques, and procedures (TTPs).
How does Matrix Ransomware work?
In earlier versions, Matrix utilized spam email campaigns, exploited Windows shortcuts, and deployed RIG exploit kits to gain initial access to target networks. However, as the threat landscape changed so did Matrix’s approach. Since 2018, Matrix has primarily shifted to brute-force attacks, targeting weak credentials on Windows machines accessible through firewalls. Attackers often exploit common and default credentials, such as “admin”, “password123”, or other unchanged default settings, particularly on systems with Remote Desktop Protocol (RDP) enabled [2] [3].
Darktrace observation of Matrix Ransomware tactics
In May 2024, Darktrace observed an instance of KOK08 ransomware, a specific strain of the Matrix ransomware family, in which some of these ongoing developments and evolutions were observed. Darktrace detected activity indicative of internal reconnaissance, lateral movement, data encryption and exfiltration, with the affected customer later confirming that credentials used for Virtual Private Network (VPN) access had been compromised and used as the initial attack vector.
Another significant tactic observed by Darktrace in this case was the exfiltration of data following encryption, a hallmark of double extortion. This method is employed by attacks to increase pressure on the targeted organization, demanding ransom not only for the decryption of files but also threatening to release the stolen data if their demands are not met. These stakes are particularly high for public sector entities, like the customer in question, as the exposure of sensitive information could result in severe reputational damage and legal consequences, making the pressure to comply even more intense.
Darktrace’s Coverage of Matrix Ransomware
Internal Reconnaissance and Lateral Movement
On May 23, 2024, Darktrace / NETWORK identified a device on the customer’s network making an unusually large number of internal connections to multiple internal devices. Darktrace recognized that this unusual behavior was indicative of internal scanning activity. The connectivity observed around the time of the incident indicated that the Nmap attack and reconnaissance tool was used, as evidenced by the presence of the URI “/nice ports, /Trinity.txt.bak”.
Although Nmap is a crucial tool for legitimate network administration and troubleshooting, it can also be exploited by malicious actors during the reconnaissance phase of the attack. This is a prime example of a ‘living off the land’ (LOTL) technique, where attackers use legitimate, pre-installed tools to carry out their objectives covertly. Despite this, Darktrace’s Self-Learning AI had been continually monitoring devices across the customers network and was able to identify this activity as a deviation from the device’s typical behavior patterns.
Darktrace subsequently observed a significant number of connection attempts using the RDP protocol on port 3389. As RDP typically requires authentication, multiple connection attempts like this often suggest the use of incorrect username and password combinations.
Given the unusual nature of the observed activity, Darktrace’s Autonomous Response capability would typically have intervened, taking actions such as blocking affected devices from making internal connections on a specific port or restricting connections to a particular device. However, Darktrace was not configured to take autonomous action on the customer’s network, and thus their security team would have had to manually apply any mitigative measures.
Later that day, the same device was observed attempting to connect to another internal location via port 445. This included binding to the server service (srvsvc) endpoint via DCE/RPC with the “NetrShareEnum” operation, which was likely being used to list available SMB shares on a device.
Over the following two days, it became clear that the attackers had compromised additional devices and were actively engaging in lateral movement. Darktrace detected two more devices conducting network scans using Nmap, while other devices were observed making extensive WMI requests to internal systems over DCE/RPC. Darktrace recognized that this activity likely represented a coordinated effort to map the customer’s network and identity further internal devices for exploitation.
Beyond identifying the individual events of the reconnaissance and lateral movement phases of this attack’s kill chain, Darktrace’s Cyber AI Analyst was able to connect and consolidate these activities into one comprehensive incident. This not only provided the customer with an overview of the attack, but also enabled them to track the attack’s progression with clarity.
Furthermore, Cyber AI Analyst added additional incidents and affected devices to the investigation in real-time as the attack unfolded. This dynamic capability ensured that the customer was always informed of the full scope of the attack. The streamlined incident consolidation and real-time updates saved valuable time and resources, enabling quicker, more informed decision-making during a critical response window.
File Encryption
On May 28, 2024, another device was observed connecting to another internal location over the SMB filesharing protocol and accessing multiple files with a suspicious extension that had never previously been observed on the network. This activity was a clear sign of ransomware infection, with the ransomware altering the files by adding the “KOK08@QQ[.]COM” email address at the beginning of the filename, followed by a specific pattern of characters. The string consistently followed a pattern of 8 characters (a mix of uppercase and lowercase letters and numbers), followed by a dash, and then another 8 characters. After this, the “.KOK08” extension was appended to each file [1][4].
Data Exfiltration
Shortly after the encryption event, another internal device on the network was observed uploading an unusually large amount of data to the rare external endpoint 38.91.107[.]81 via SSH. The timing of this activity strongly suggests that this exfiltration was part of a double extortion strategy. In this scenario, the attacker not only encrypts the target’s files but also threatens to leak the stolen data unless a ransom is paid, leveraging both the need for decryption and the fear of data exposure to maximize pressure on the victim.
The full impact of this double extortion tactic became evident around two months later when a ransomware group claimed possession of the stolen data and threatened to release it publicly. This development suggested that the initial Matrix ransomware attackers may have sold the exfiltrated data to a different group, which was now attempting to monetize it further, highlighting the ongoing risk and potential for exploitation long after the initial attack.
Unfortunately, because Darktrace’s Autonomous Response capability was not enabled at the time, the ransomware attack was able to escalate to the point of data encryption and exfiltration. However, Darktrace’s Security Operations Center (SOC) was still able to support the customer through the Security Operations Support service. This allowed the customer to engage directly with Darktrace’s expert analysts, who provided essential guidance for triaging and investigating the incident. The support from Darktrace’s SOC team not only ensured the customer had the necessary information to remediate the attack but also expedited the entire process, allowing their security team to quickly address the issue without diverting significant resources to the investigation.
Conclusion
In this Matrix ransomware attack on a Darktrace customer in the public sector, malicious actors demonstrated an elevated level of sophistication by leveraging compromised VPN credentials to gain initial access to the target network. Once inside, they exploited trusted tools like Nmap for network scanning and lateral movement to infiltrate deeper into the customer’s environment. The culmination of their efforts was the encryption of files, followed by data exfiltration via SSH, suggesting that Matrix actors were employing double extortion tactics where the attackers not only demanded a ransom for decryption but also threatened to leak sensitive information.
Despite the absence of Darktrace’s Autonomous Response at the time, its anomaly-based approach played a crucial role in detecting the subtle anomalies in device behavior across the network that signalled the compromise, even when malicious activity was disguised as legitimate. By analyzing these deviations, Darktrace’s Cyber AI Analyst was able to identify and correlate the various stages of the Matrix ransomware attack, constructing a detailed timeline. This enabled the customer to fully understand the extent of the compromise and equipped them with the insights needed to effectively remediate the attack.
Credit to Christina Kreza (Cyber Analyst) and Ryan Traill (Threat Content Lead)
Appendices
Darktrace Model Detections
· Device / Network Scan
· Device / Attack and Recon Tools
· Device / Possible SMB/NTLM Brute Force
· Device / Suspicious SMB Scanning Activity
· Device / New or Uncommon SMB Named Pipe
· Device / Initial Breach Chain Compromise
· Device / Multiple Lateral Movement Model Breaches
· Device / Large Number of Model Breaches from Critical Network Device
· Device / Multiple C2 Model Breaches
· Device / Lateral Movement and C2 Activity
· Anomalous Connection / SMB Enumeration
· Anomalous Connection / New or Uncommon Service Control
· Anomalous Connection / Multiple Connections to New External TCP Port
· Anomalous Connection / Data Sent to Rare Domain
· Anomalous Connection / Uncommon 1 GiB Outbound
· Unusual Activity / Enhanced Unusual External Data Transfer
· Unusual Activity / SMB Access Failures
· Compromise / Ransomware / Suspicious SMB Activity
· Compromise / Suspicious SSL Activity
List of Indicators of Compromise (IoCs)
· .KOK08 - File extension - Extension to encrypted files
· [KOK08@QQ[.]COM] – Filename pattern – Prefix of the encrypted files
· 38.91.107[.]81 – IP address – Possible exfiltration endpoint
MITRE ATT&CK Mapping
· Command and control – Application Layer Protocol – T1071
· Command and control – Web Protocols – T1071.001
· Credential Access – Password Guessing – T1110.001
· Discovery – Network Service Scanning – T1046
· Discovery – File and Directory Discovery – T1083
· Discovery – Network Share Discovery – T1135
· Discovery – Remote System Discovery – T1018
· Exfiltration – Exfiltration Over C2 Channer – T1041
· Initial Access – Drive-by Compromise – T1189
· Initial Access – Hardware Additions – T1200
· Lateral Movement – SMB/Windows Admin Shares – T1021.002
· Reconnaissance – Scanning IP Blocks – T1595.001
References
[1] https://unit42.paloaltonetworks.com/matrix-ransomware/
[2] https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-matrix-report.pdf
[3] https://cyberenso.jp/en/types-of-ransomware/matrix-ransomware/
[4] https://www.pcrisk.com/removal-guides/10728-matrix-ransomware
![External Sites Summary Graph showing the rarity of the hostname “92n7au[.]uhabq9[.]com” on a customer network.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/670d96b065612663d098df74_670d956f4dda5eb6ac9e650f_Screenshot%25202024-10-14%2520at%25203.04.22%25E2%2580%25AFPM.png)
![Screenshot of a Model Alert Event log showing a device connecting to the endpoint “is5jg[.]3zweuj[.]com” over port 32091.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/670d96b065612663d098df7d_670d959854eb594420fdc971_Screenshot%25202024-10-14%2520at%25203.05.03%25E2%2580%25AFPM.png)
![Screenshot of a Model Alert Event Log showing the device posting the string “i8xps1” to the hostname “72zf6.rxqfd[.]com.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/670d96b065612663d098df80_670d95c562c6e392c7dc3ba8_Screenshot%25202024-10-14%2520at%25203.05.49%25E2%2580%25AFPM.png)
![Screenshot of a Model Alert Event Log showing the device posting the string “sqyjyadwwq” to the hostname “9yrh7.mea5ms[.]com”.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/670d96b065612663d098df7a_670d95e4b1dbad771717553c_Screenshot%25202024-10-14%2520at%25203.06.20%25E2%2580%25AFPM.png)
