Severity scale:  
  (96/100)

Matrix ransomware. How to remove? (Uninstall guide)

removal by Lucia Danes - - | Type: Ransomware

Matrix ransomware is a crypto virus that keeps presenting new files extensions while marking encrypted data

The screenshot of Matrix malware
Matrix is a ransomware which was first discovered in 2016.

Questions about Matrix ransomware

Matrix ransomware[1] is a file locking virus that was spotted making rounds since November 2016. Initially, the virus originated as a screen locker, accusing users of illegal activities (such as viewing child pornography) and did not touch the data on the computer. Over time, however, Matrix ransomware evolved and is now operating as a fully-functional crypto locker. It uses a combination of AES and RSA ciphers to lock up data and adds an appendix to each of the affected files. The first variant used .Matrix or .MATRIX!!! extensions and dropped a ransom note the MATRIX-Readme.rtf written in the Russian and English language. All the new versions of Matrix virus added different extensions, such as .b10cked, .[Files4463@tuta.io], .CORE, Fox Matrix, .FASTBOB, .ITLOCK,.EMAN, etc.

Name Matrix
Malware type Ransomware
Distribution Hacker Remote Desktop Service, spam
Encryption method AES-128 and RSA-2048
Versions TheMatrixHasYou, 2017 Matrix version, [Files4463@tuta.io] file extension virus, [RestorFile@tutanota.com] virus, [BatHelp@protonmail.com].-.CORE virus, Fox Matrix, .KOK8, .NEWRAR, .FASTBOB, .ITLOCK, .EMAN
Ransom note

matrix-readme.rtf, !ReadMe_To_Decrypt_Files!.rtf, #What_Wrong_With_Files#.rtf, #CORE_README#.rtf, #FOX_README#.rtf; #KOK08_README#.rtf; #_#FASTBOB_README#_#.rtf, !ITLOCK_README!.rtf, #README_EMAN#.rtf

Danger level High. Encrypts personal files, initiates malicious system's changes
Decryptable No
Download Reimage and run a full system scan to get rid of Matrix

According to the research, Matrix ransomware is still active in 2018 and continues to receive updates to change the used file extension or the ransom note. They include but are not limited to the following:

  • .[Files4463@tuta.io];
  • .[RestorFile@tutanota.com];
  • .[BatHelp@protonmail.com].-.CORE;
  • .FOX;
  • [KOK8@protonmail.com].-.KOK8;
  • .KOK08;
  • .FASTBOB;
  • .ITLOCK;
  • .EMAN.

Few versions of this malware are not changing files' names and only drop #What_Wrong_With_Files#.rtf or #CORE_README#.rtf ransom note on every folder. The latest variant called .ITLOCK ransomware and is using !ITLOCK_README!.rtf ransom warning. Another late version of the Matrix ransomware virus, known as FOX ransomware, has already managed to attack a few victims in Spain. This ransomware is spreading on devices via insecure and publicly accessible Remote Desktop Service and spam email attachments.

Since then the developers started employing RIG exploit kit to boost distribution of this ransomware. After a couple of months, IT experts have noticed the hike in its activity again. The developers did not present much change in the overall design of the malware. The felons only added new email addresses.

The malware targets English and Russian-speaking users are the main targets. The ransom message is called matrix-readme.rtf, and it commands victims to contact scammers via provided email addresses: matrix9643@yahoo.com or redtablet9643@yahoo.com. Besides them, here is a short list of all emails currently emails associated with Matrix:

  • TheMatrixHasYou9643@yahoo.com
  • noliberty9643@yahoo.com
  • thematrixhasyou9643@yahoo.com
  • cremreihanob1979@yandex.ru
  • pyongyang001@yahoo.com
  • bl4ckdr4gon@tutanota.com
  • PabFox@protonmail.com
  • FoxHelp@cock.li
  • FoxHelp@tutanota.com
  • KOK08@protonmail.com
  • FastBob@protonmail.com

As soon as such malware compromises a computer, it scans for possibly important data and encodes them with AES+RSA cipher to make them inaccessible.  After that, it marks them with .matrix, [Files4463@tuta.io], [RestorFile@tutanota.com] or no extension.

Matrix version 1
Matrix ransomware is an infamous cyber threat which has numerous versions.

At the beginning of April 2018, crooks released two new versions of Matrix ransomware virus, though the two differ from the previous versions in terms of design, ransom note, and other traits. According to ransomware researchers, the malware is being disseminated via hacked Remove Desktop Services (RDS) brute forcing the password. Nonetheless, it can also be dispersed in spam email attachments and fake updates. 

Once the attacker installs the [Files4463@tuta.io] file extension virus, it runs multiple Command Prompt scripts and encrypts most of the personal files by attaching [Files4463@tuta.io] suffix to them. After that, it creates a !ReadMe_To_Decrypt_Files!.rtf ransom note which instructs the victim to contact developers via Files4463@tuta.io, Files4463@protonmail.ch, and Files4463@gmail.com.

Matrix version 2
Matrix ransomware is a file-encrypting virus which uses different file extensions depending on the version.

Please, do NOT follow these commands! You should take care of Matrix ransomware removal right after finding encrypted files on your computer. Additionally, use data recovery options that we provided in the end of this post.

Another variant of Matrix ransomware can be recognized by the file extension [RestorFile@tutanota.com]. In comparison to the previous version, this one is a bit more elaborate in terms of debugging messages and cipher command. Its ransom note is named as #Decrypt_Files_ReadMe#.rtf. The victim is asked to send a unique identification number via one of the following email addresses: 

  • RestorFile@tutanota.com
  • RestoreFile@protonmail.com
  • RestoreFile@qq.com

If you’re looking for Matrix decryption tool, you should know that currently there is none. It is extremely hard to decrypt files without knowing the decryption key, and that is why ransomware developers make every effort to hide it from the computer user. Typically, they keep the decryption key to in the remote hidden servers. 

Matrix ransomware debugging messages
Matrix ransomware is still active in 2018 and receives updates.

It would be unwise to remit the payment as there are no guarantees that the developers will play fair and return them. There are also doubts whether their decrypter will function properly. If it is a program, it may contribute to future crypto-malware hijack. Therefore, remove Matrix ransomware virus in a hurry. You can use anti-malware tools, such as Reimage or Plumbytes Anti-MalwareMalwarebytes Malwarebytes, for the ransomware elimination.

We suggest you create a backup of encrypted data and keep it safely until someone releases a free decryption tool – if you have heard about TeslaCrypt[2] or PrincessLocker[3] cases, you probably understand that it is possible to decrypt files once they're encrypted; however, malware reversers need to spend a lot of time to create malware decryptors, so please be patient! 

The list of Matrix ransomware versions 

TheMatrixHasYou ransomware.

The new version of Matrix ransomware do not highly differ from the original version. It is also designed to encrypt the most valuable information, including videos, music, photos, documents and audio files. The victim can no longer open and use encrypted information. 

The only noticeable difference between the initial version of the ransomware and TheMatrixHasYou virus is that the latter provides different contact emails: TheMatrixHasYou9643@yahoo.com and noliberty9643@yahoo.com, and leaves information about the attack in <victim’s id=””>.MATRIX-KEY.RTF file.</victim’s>

This version is also still very dangerous, and there is no antidote for its poison. If your files have been encrypted, you should restore them from backup or remain patient until reverse-malware engineers discover a way to crack it and create a free decryptor. Until then, remove Matrix malware to protect your PC from additional malware.

Matrix virus ransom note
Matrix ransomware is a crypto-malware which drops the ransom note after file encryption.

Updated October 27, 2017. On October 2017, Matrix ransomware made a comeback[4]. The authors continue relying on RIG exploit kit. There are no any crucial changes except a couple of new email addresses. One of them refers to North Korea's capital Pyongyang.

The fact that the malware is placed in .saz folder suggests it may be distributed via email attachments.  Fortunately, the latest version is already detectable (TR/Crypt.Xpack.vdzpt, Trojan.Ransom.Matrix, etc.) by security tools. The virus may hide in 1q0NOiyA.exe or alternative executable file.

[Files4463@tuta.io] file extension virus.

This version of Matrix ransomware has been detected in the first half of April 2018. Researchers detected it spreading via hacked Remote Desktop services. It uses RSA-2048 and AES-128 encryption algorithms and creates a !ReadMe_To_Decrypt_Files!.rtf ransom note. 

The note describes the current situation and contains a personal identification number, which has to be indicated in the subject line of the email and sent to one of the following addresses:

  • Files4463@tuta.io
  • Files4463@protonmail.ch
  • Files4463@gmail.com

Unfortunately, this variant does not have a free decryptor, at least not yet. Nevertheless, we do not recommend paying the ransom as it's not clear whether the paid Matrix decryptor is reliable. 

Matrix crypto-malware
Matrix is a dangerous cyber infection which can make files unusable.

[RestorFile@tutanota.com] file extension virus.

This Matrix ransomware version is almost identical to the previous one. Nevertheless, it has been developed in a more professional way as it uses a more complex debugging messaging and cipher commands. 

It also renders RSA-2048 and AES-128 ciphers and targets personal files just like its predecessor. Upon encryption, locked files exhibit [RestorFile@tutanota.com] file extension. PC's desktops background is replaced by Matrix lock screen and the victim is represented with a ransom note named #Decrypt_Files_ReadMe#.rtf. The latter can be found not only on the desktop, but also on each folder containing encrypted data. 

The victim is demanded to provide a unique ID number to get payment instructions. For this purpose, they have to write down an email message and send to RestorFile@tutanota.com, RestoreFile@protonmail.com, and RestoreFile@qq.com email addresses. 

The [RestorFile@tutanota.com] file extension is not decryptable for free. 

was discovered in August 2018 as the latest version of Matrix virus. The encryption process is done using AES-128 and RSA-2048 methods. Every modified file gets an extension in this pattern: [hacker's email].[random_ID].FOX. Fox virus places a ransom note #FOX_README#.rtf, containing the instructions for further actions, on every folder that has modified data. In this note, virus developers provide contact emails: PabFox@protonmail.com; FoxHelp@cock.lt; FoxHelp@tutanota.com. It spreads while breaking through RDS. 

There is no official decryption tool, so we do recommend to remove Fox Matrix ransomware using proper anti-malware tools. Only then you can focus on the important data recovery process. DO NOT contact cybercriminals and DO NOT pay the demanded ransom. This may lead to permanent data or money loss. 

.KOK08 file extension virus.

In the beginning of September 2018, researchers have spotted a new version of Matrix malware. It executes encryption codes to compromise valuable data and appends .KOK08 file extension afterward. Note, that this version is similar to .KOK8 file extension virus as the used suffix is almost identical. 

Victims receive the ransom note named as #KOK08_README#.rtf file which informs about data encryption as any other message of this virus. Hackers merely indicate KOK08@protonmail.com email address for contact purposes. Likewise, victims suppose to write to the provided email. Although, experts do not recommend doing so.

.FASTBOB file extension virus.

Just in a few day difference, researchers discovered another updated variant of Matrix ransomware. Similar to other upgrades, criminals haven't changed anything essential except the extension and the name of the ransom note. 

This new version of Matrix malware appends .FASTBOB file extension after data encryption. Users receive instructions how to decrypt information in #_#FASTBOB_README#_#.rtf ransom note. The message urges to contact the crooks via FastBob@protonmail.com email address. 

.ITLOCK file extension virus.

The .ITLOCK variant showed up in mid-September and was discovered by independent security researchers.[5] The malware uses AES and RSA to lock files up and demands a ransom to be paid via the !ITLOCK_README!.rtf message. Crooks demand users to contact them using itcompany2018@qq.com to receive instructions on how to recover encoded files. As usual, we do not recommend contacting cybercriminals and use alternative methods for file recovery after .ITLOCK ransomware removal is complete using reputable security tools.

.ITLOCK file extension virus
Crooks often use spam emails to infect user computers with ransomware like .ITLOCK virus

Crooks behind Matrix virus impersonate law enforcement agencies

As notices from law enforcement agencies, including Federal Bureau of Investigation (FBI), National Security Agency (NSA) and others might be intimidating, hackers try to take advantage of puzzled people and employ social engineering tactics to obtain illegal profits.

The current version of Matrix malware frightens users into thinking that their computer and data have been locked due to the US law violation. The counterfeited messages claim that their devices have been blocked due to the detected content of child pornography and similar criminal activities.

It also refers to the Criminal Code to deceive users more. However, few affected netizens might check the referred article and find out the different content. Keep in mind that mentioned institutions do not urge you to pay any amount of money within a specified amount of them.

Matrix hackers expect you to remit the payment within 96 hours in order to escape life imprisonment sentence. It is not difficult to look through the deception since the crooks provide a Bitcoin address and thematrixhasyou9643@yahoo.com and cremreihanob1979@yandex.ru. 

Be vigilant when reviewing the spam folder. Do not open any email attachments before verifying the sender. Hackers often leave grammar mistakes and typos in such messages. Matrix hijack is performed with the assistance of JNwpM1mu.exe executable file. It can occupy a device via HEUR/QVM10.1.0000.Malware.Gen,  malicious_confidence_100% (D),TR/Crypt.Xpack.uhqit, and similar trojan horses. 

Hackers employ exploit kits for ransomware distribution

Usually, criminals aim to infect as many computers as possible to increase their ransomware payments. For that, they not only employ social engineering tactics but also exploit kits to circumvent PC systems. One of the most popular one is Rig Exploit kit which helps detecting system vulnerabilities and infiltrating ransomware. 

Therefore, make sure you pay attention to what sources and what programs you download from. Avoid installing software other than official sites. pay attention to the “publisher”  – it should indicate the name of the official company other than “unknown.”

Safely uninstall Matrix virus from your PC

For Matrix removal you should consider installing a reliable antivirus tool. Our top recommendations are Reimage, Malwarebytes MalwarebytesCombo Cleaner, and Malwarebytes MalwarebytesCombo Cleaner. These security tools can be downloaded and installed once you boot your computer into Safe Mode. You will find instructions showing how to delete Matrix ransomware and reboot system into Safe Mode at the end of this article.

Now let's discuss the ransom part. First of all, if you're willing to pay it, do not delete the infection – do it afterward. However, we strongly recommend you not to pay the ransom. There are numerous reasons why it is not worth paying; there are insufficient possibilities that criminals will decide to give you the decryption key to unlock files[6].

Besides, if you paid, you would encourage scammers to keep going and creating more malware. This will cause the number of ransomware victims grow. Although it is not a direct way to fight with ransomware, it can help to lower the number of ransomware cases in general. If victims stopped paying ransoms, cybercriminals would no longer see a point to create them.

Offer
We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.

If you decided to select another anti-spyware, uninstall Reimage from your computer.
Press mentions on Reimage
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Matrix virus, follow these steps:

Remove Matrix using Safe Mode with Networking

Rebooting your computer into Safe Mode with Networking requires you to perform these steps:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Matrix

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Matrix removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Matrix using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Matrix. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Matrix removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Matrix from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If files have been encrypted, you can try our suggested methods to recover them. However, we strongly advise you to create a backup of encrypted files to have an intact copy. Sometimes failure to decrypt files can completely destroy them!

If your files are encrypted by Matrix, you can use several methods to restore them:

Data Recovery Pro

 

If you want, you can use Data Recovery Pro to decrypt your files. You can find full instructions on how to use such tool below.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Matrix ransomware;
  • Restore them.

Find those Windows Previous Versions

Windows Previous Versions come in handy when the current data versions get corrupted. If you enabled System Restore function a while ago, you can try to recover your files now. Bear in mind that this method helps to fix files one by one, so if you want to restore a big number of files at once, this is not the method you should go for. 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer can help you with data decryption

If you are lucky and the ransomware hasn't managed to delete or compromise Shadow Volume Copies in any way, you might get help from ShadowExplorer tool. For more information, follow these steps:

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Currently, Matrix decryptor is still in-development.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Matrix and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions

References

Removal guides in other languages