What is Matrix Ransomware
Matrix Ransomware is very dangerous and wide-spread ransomware virus that encrypts user files with either symmetric or asymmetric cryptography using GNU Privacy Guard (GnuPG) open source encryption software. Initial version added .matrix or .MATRIX extensions to encrypted files. However, newer generations of Matrix Ransomware began to append following extensions (beginning from the latest discovered):
.THDA, .NOBAD, .GMAN, .EMAN, .CHE08, .ITLOCK, .KOK08, .FASTBOB, .NEWRAR, .KOK8, .CORE, .FOX, .ANN, .[RestorFile@tutanota.com], .b10cked, .[RestoreFile@qq.com].MTXLOCK, .firstname.lastname@example.org, _[RELOCK001@TUTA.IO], _[Linersmik@naver.com][Jinnyg@tutanota.com], .[email@example.com]
After finishing encryption process, Matrix Ransomware can create text files with following names: matrix-readme.rtf, Readme-Matrix.rtf, !OoopsYourFilesLocked!.rtf, #What-Happened-With-Files#.rtf, !ReadMe_To_Decrypt_Files!.rtf, #Decrypt_Files_ReadMe#.rtf, #README_ANN#.rtf etc. Example of the ransom note message:
HOW TO RECOVER YOUR FILES INSTRUCTION
We are realy sorry to inform you that ALL YOUR FILES WERE ENCRYPTED
by our automatic software. It became possible because of bad server security.
Please don't worry, we can help you to RESTORE your server to original
state and decrypt all your files quickly and safely!
Files are not broken!!!
Files were encrypted with AES-128+RSA-2048 crypto algorithms.
There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!
* Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!
* Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.
HOW TO RECOVER FILES???
Please write us to the e-mail (write on English or use professional translator):
You have to send your message on each of our 3 emails due to the fact that the message may not reach their intended recipient for a variety of reasons!
In subject line write your personal ID:
[id] We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files.
* Please note that files must not contain any valuable information and their total size must be less than 5Mb.
Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.
We will definitely reach an agreement ;) !!!
Virus places this files in every folder with affected files. This text file contains instruction to pay the ransom, where malefactors encourage users to contact them via e-mails: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org and many others. Ransom amount is between $500 and $1500 and must be paid in Bitcoins. Matrix Ransomware has some bugs and did not encrypt all files, and this can be used to attempt decryption using free decryptors available, or using the file-recovery software. Please, note, that from time to time antivirus companies and individual security researchers and enthusiasts release full working or partially working decryptors for various kinds of ransomware. If you are not able to recover your files at the moment, keep them and wait for decryptor. Use this tutorial to remove Matrix Ransomware and decrypt .matrix, .THDA, .NOBAD, .GMAN files in Windows 10, Windows 8, Windows 7.
How Matrix Ransomware infected your PC
Matrix Ransomware virus developers still use spam e-mails with malicious attachments for distribution. Usually, attachments are DOC or XLS documents. Such documents contain built-in macros, that runs in the background when user opens the document. This macros downloads and runs main executable with random name. Since that moment Matrix starts encryption process. Antivirus may not catch this threat and we recommend you to use HitmanPro with Cryptoguard. This program can detect encryption process and stop it to prevent the loss of your files.
Download Matrix Ransomware Removal Tool
To remove Matrix Ransomware completely, we recommend you to use WiperSoft AntiSpyware from WiperSoft. It detects and removes all files, folders and registry keys of Matrix Ransomware.
How to remove Matrix Ransomware manually
It is not recommended to remove Matrix Ransomware manually, for safer solution use Removal Tools instead.
Matrix Ransomware files:
Matrix Ransomware reg keys:
How to decrypt and restore .matrix, .THDA, .NOBAD, .GMAN files
Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .matrix, .THDA, .NOBAD, .GMAN files. Download it here:
There is no purpose to pay the ransom, because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
If you are infected with Matrix Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. However, there is currently no automatic decryption tool for files encrypted by Matrix. To attempt to remove them you can do the following:
Use Stellar Phoenix Data Recovery Pro to restore .matrix, .THDA, .NOBAD, .GMAN files
- Download Stellar Phoenix Data Recovery Pro.
- Select location to scan for lost files and click Scan button.
- Wait until Quick and Deep scans finish.
- Preview found files and restore them.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses like Matrix Ransomware in future
1. Get special anti-ransomware software
Use Bitdefender Anti-Ransomware
Famous antivirus vendor BitDefender released free tool, that will help you with active anti-ransomware protection, as additional shield to your current protection. It will not conflict with bigger security applications. If you are searching complete internet security solution consider upgrading to full version of BitDefender Internet Security 2018.
2. Back up your files
Regardless of success of protection against ransomware threats, you can save your files using simple online backup. Cloud services are quite fast and cheap nowadays. There is more sense using online backup, than creating physical drives, that can get infected and encrypted when connected to PC or get damaged from dropping or hitting. Windows 10 and 8/8.1 users can find pre-installed OneDrive backup solution from Microsoft. It is actually one of the best backup services on the market, and has reasonable pricing plans. Users of earlier versions can get acquainted with it here. Make sure to backup and sync most important files and folders in OneDrive.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails is most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is SpamFighter. It works with various desktop applications, and provides very high level of anti-spam protection.