Tag :
Cyber Security

Recently, Sangfor security team kept in track of of a new variant of Matrix ransom virus. As of now, there are networks of government sectors having infected by this virus variant. This new variant employs RSA and AES algorithms to encrypt majority of the files to PRCP files and demands for ransom. There is no ways to decrypt the files currently.

PRCP Variant of Matrix Ransom Virus Intruded Governmental And Enterprise Networks 1

The ransom virus variant spreads through RDP brute-force attacks, scans internal hosts, encrypt shared files and prompts ransom notes, as shown in the following figure:

PRCP Variant of Matrix Ransom Virus Intruded Governmental And Enterprise Networks 2

Sangfor has acquired all the related virus samples and figured out the solutions.

The ransom virus variant spreads through RDP brute-force attacks, scans internal hosts, encrypt shared files and prompts ransom notes, as shown in the following figure:

Sample Analysis

The ransom virus variant spreads through RDP brute-force attacks, scans internal hosts, encrypt shared files and prompts ransom notes, as shown in the following figure:

PRCP Variant of Matrix Ransom Virus Intruded Governmental And Enterprise Networks 3

The virus variant is written in Delphi and will save encrypted data to resource directory of the program. When the virus starts to run, it attempts to open the mutex variable MutexPRCP to ensure that it is the only program could run. If that variable cannot be opened, it creates a new one.

Obtain information and upload them to C&C server:
The PRCP variant of Matrix ransom virus gets information such as language of current system, hostname, username, etc. and puts strings together in memory:

PRCP Variant of Matrix Ransom Virus Intruded Governmental And Enterprise Networks 4

Decrypt address of C&C server in memory, as shown below:

PRCP Variant of Matrix Ransom Virus Intruded Governmental And Enterprise Networks 5

Send host information to the address of C&C server (prcp.mygoodsday.org) and record, as shown below:

PRCP Variant of Matrix Ransom Virus Intruded Governmental And Enterprise Networks 6

Scan disk information and display that information in output window and upload that information to C&C server again.

Generate a key and delete system backups

The PRCP variant of Matrix ransom virus generates a corresponding key through built-in RSA keys, as shown below:

PRCP Variant of Matrix Ransom Virus Intruded Governmental And Enterprise Networks 7

And then, a .bat file is generated and disk volume shadows are deleted to make victims unable to restore data from backups, as shown below:

PRCP Variant of Matrix Ransom Virus Intruded Governmental And Enterprise Networks 8

The variant generates VBS script which will be called by the above mentioned BAT script.

PRCP Variant of Matrix Ransom Virus Intruded Governmental And Enterprise Networks 9

Scan local area network and encrypt network shares: The variant generates a randomly named backup file, executes the file via parameters and then scans local area network, as shown below:

PRCP Variant of Matrix Ransom Virus Intruded Governmental And Enterprise Networks 10

Scanning internal network shares: as shown below:

PRCP Variant of Matrix Ransom Virus Intruded Governmental And Enterprise Networks 11

A randomly named .bat file is generated, as shown below:

PRCP Variant of Matrix Ransom Virus Intruded Governmental And Enterprise Networks 12

Call the released NTHandler program and scan current host, as shown below:

PRCP Variant of Matrix Ransom Virus Intruded Governmental And Enterprise Networks 13

Encrypt local file and generate ransom note: At last, the variant traverses local disks, encrypts disk files and appends. PRCP extension to encrypted files.

PRCP Variant of Matrix Ransom Virus Intruded Governmental And Enterprise Networks 14

When encryption finishes, a ransom note #README_PRCP#.rtf will be generated in the local disks and the contents are as follows:

PRCP Variant of Matrix Ransom Virus Intruded Governmental And Enterprise Networks 15

When encryption finishes, a ransom note #README_PRCP#.rtf will be generated in the local disks and the contents are as follows:

PRCP Variant of Matrix Ransom Virus Intruded Governmental And Enterprise Networks 16

PRCP Variant of Matrix Ransom Virus Intruded Governmental And Enterprise Networks 17

Solution

As the time of writing, there is no decryption tool for those victims. You may quarantine infected hosts and disconnect them from network.

We recommend you to perform virus scan and protection as soon as possible.

Detection and Removal

  1. Sangfor offers customers and users a free anti-malware software to scan for and remove the ransom virus. Simply download it from http://go.sangfor.com/edr-tool-20180824
  2. Sangfor NGAF product is capable of detecting and removing this ransom virus.

Protection

  1. Fix the vulnerability in time by installing the corresponding patch on the host.
  2. Back up critical data files regularly to other hosts or storage devices.
  3. Do not click on any email attachment from unknown sources and not download any software from untrusted websites.
  4. Disable unnecessary file sharing permissions.
  5. Change and strengthen your computer password and do not use the same passwords for different computers to avoid compromising a series of computers.
  6. Disable RDP if RDP is unnecessary for your business. When computers are attacked, use Sangfor NGAF to block port 3389 and other ports to stop ransom virus from spreading.
  7. Sangfor NGAF can prevent brute-force attacks. Turn on brute-force attack prevention on NGAF and enable Rule 11080051, 11080027 and 11080016.
  8. For Sangfor NGAF customers, update NGAF to version 8.0.5 and enable Sangfor Engine Zero.

Perform security scan and virus removal on the whole network. We recommend Sangfor NGAF to detect, prevent and protect your internal network.

Consultancy and Services

Contact us by any of the following means to gain consultancy and support service for free.

  1. Call us at +60 12711 7129 (7511)
  2. Visit Sangfor Community (http://community.sangfor.com) and ask Virtual Agent

Listen To This Post

Search

Keyword maximum 256 character

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Name
Email Address
Business Phone Number
Tell us about your project requirements

Related Articles

CVE-2024-47575: Fortinet FortiManager Authentication Vulnerability

Date : 25 Oct 2024
Read Now

CVE-2024-38819: Path Traversal Vulnerability

Date : 19 Oct 2024
Read Now

CVE-2024-40766: SonicWALL SonicOS Access Control Flaw Vulnerability

Date : 12 Sep 2024
Read Now

See Other Product

Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
Sangfor Network Secure - Next Generation Firewall
Platform-X
Sangfor Access Secure

Meet the Author

About Sangfor

Sangfor Technologies

Sangfor Technologies is a leading vendor of Cyber Security and Cloud Computing solutions. The majority of the blogs that you are seeing here are written by professionals working at Sangfor. We have a team of content writers, product managers and marketing experts who are taking care of writing articles on various topics that are relevant to our audience. Our team ensures that the articles published are factually correct and helpful to our customers and partners to know more about the recent trends on Cyber Security and Cloud, and how it can help their organizations.

  • facebook
  • twitter
  • linkedin
  • youtube
  • instagram
See Author's Detail