Severity scale:  
  (96/100)

Matrix ransomware. How to remove? (Uninstall guide)

removal by Lucia Danes - - | Type: Ransomware

Matrix ransomware is a malicious program that showed up in Italy, Australia and other world's countries  

The screenshot of Matrix malware

Questions about Matrix ransomware

Matrix ransomware is a dangerous crypto-virus[1] that was detected for the first time in 2016. Previously, it showed up as a fake FBI warning. However, the latest program's version can easily encrypt victim's files and make them inaccessible. Depending on its version, the virus can add .[Files4463@tuta.io] or .[RestorFile@tutanota.com] file extension. The latest version of Matrix ransomware does not change files' names at all and drops #What_Wrong_With_Files#.rtf ransom note in every folder where encrypted files are stored by the user.

Name Matrix
Malware type Ransomware
Distribution Hacker Remote Desktop Service, spam
Versions TheMatrixHasYou, 2017 Matrix version, [Files4463@tuta.io] file extension virus, [RestorFile@tutanota.com] file extension virus
Ransom note matrix-readme.rtf, !ReadMe_To_Decrypt_Files!.rtf, #What_Wrong_With_Files#.rtf
Danger level High. Encrypts personal files, initiates malicious system's changes
Decryptable No
Download and run a full system scan to get rid of Matrix

Since then the developers started employing RIG exploit kit to boost distribution of this ransomware. After a couple of months, IT experts have noticed the hike in its activity again. The developers did not present much change in the overall design of the malware. The felons only added new email addresses.

The malware targets English and Russian-speaking users are the main targets. The ransom message is called matrix-readme.rtf, and it commands victims to contact scammers via provided email addresses: matrix9643@yahoo.com or redtablet9643@yahoo.com. Besides them, here is a short list of all emails currently emails associated to Matrix:

  • TheMatrixHasYou9643@yahoo.com
  • noliberty9643@yahoo.com
  • thematrixhasyou9643@yahoo.com
  • cremreihanob1979@yandex.ru
  • pyongyang001@yahoo.com
  • bl4ckdr4gon@tutanota.com

As soon as such malware compromises a computer, it scans for possibly important data and encodes them with AES+RSA cipher to make them inaccessible.  After that, it marks them with .matrix, [Files4463@tuta.io], [RestorFile@tutanota.com] or no extension.

In the beginning of April 2018, crooks released two new versions of Matrix ransomware virus, though the two differ from the previous versions in terms of design, ransom note, and other traits. According to ransomware researchers, the malware is being disseminated via hacked Remove Desktop Services (RDS) brute forcing the password. Nonetheless, it can also be dispersed in spam email attachments and fake updates. 

Once the attacker force install the [Files4463@tuta.io] file extension virus, it runs multiple Command Prompt scripts and encrypts most of the personal files by attaching [Files4463@tuta.io] suffix to them. After that, it creates a !ReadMe_To_Decrypt_Files!.rtf ransom note which instructs the victim to contact developers via Files4463@tuta.io, Files4463@protonmail.ch, and Files4463@gmail.com.

Please, do NOT follow these commands! You should take care of Matrix ransomware removal right after finding encrypted files on your computer. Additionally, use data recovery options that we provided in the end of this post.

Matrix crypto-malware

Another variant of Matrix ransomware can be recognized by the file extension [RestorFile@tutanota.com]. In comparison to the previous version, this one is a bit more elaborate in terms of debugging messages and cipher command. Its ransom note is named as #Decrypt_Files_ReadMe#.rtf. The victim is asked to send a unique identification number via one of the following email addresses: 

  • RestorFile@tutanota.com
  • RestoreFile@protonmail.com
  • RestoreFile@qq.com

If you’re looking for Matrix decryption tool, you should know that currently there is none. It is extremely hard to decrypt files without knowing the decryption key, and that is why ransomware developers make every effort to hide it from the computer user. Typically, they keep the decryption key to in the remote hidden servers. 

Matrix version 2

It would be unwise to remit the payment as there are no guarantees that the developers will play fair and return them. There are also doubts whether their decrypter will function properly. If it is a program, it may contribute to future crypto-malware hijack. Therefore, remove Matrix ransomware virus in a hurry. You can use anti-malware tools, such as Reimage or Malwarebytes Anti Malware, for the ransomware elimination.

We suggest you create a backup of encrypted data and keep it safely until someone releases a free decryption tool – if you have heard about TeslaCrypt[2] or PrincessLocker[3] cases, you probably understand that it is possible to decrypt files once they're encrypted; however, malware reversers need to spend a lot of time to create malware decryptors, so please be patient! 

Other versions

TheMatrixHasYou ransomware. Another example of Matrix malware has emerged recently, and it seems to be similar to the initial virus version. Just like matrix9643@yahoo.com virus, it renders files into worthless pieces of data. It converts documents, photos, databases, presentations, videos, and other files that the victim keeps in the computer into junk files that take space but cannot be used in any way.

The only noticeable difference between the initial version of the ransomware and TheMatrixHasYou virus is that the latter provides different contact emails: TheMatrixHasYou9643@yahoo.com and noliberty9643@yahoo.com, and leaves information about the attack in <Victim’s ID>.MATRIX-KEY.RTF file.

This version is also still very dangerous, and currently, there is no antidote for its poison. If your files have been encrypted, you should restore them from backup or remain patient until reverse-malware engineers discover a way to crack it and create a free decryptor. Until then, remove Matrix malware to protect your PC from additional malware.

Matrix version 1

Updated October 27, 2017. On October 2017, Matric ransomware made a comeback[4]. The authors continue relying on RIG exploit kit. There are no any crucial changes except a couple of new email addresses. One of them refers to North Korea's capital Pyongyang.

The fact that the malware is placed in .saz folder suggests it may be distributed via email attachments.  Fortunately, the latest version is already detectable (TR/Crypt.Xpack.vdzpt, Trojan.Ransom.Matrix, etc.) by security tools. The virus may hide in 1q0NOiyA.exe or alternative executable file.

[Files4463@tuta.io] file extension virus. The latest version of Matrix ransomware has been detected in the first half of April 2018. Researchers detected it spreading via hacked Remote Desktop services. It uses RSA-2048 and AES-128 encryption algorithms and creates a !ReadMe_To_Decrypt_Files!.rtf ransom note. 

The note describes the current situation and contains a personal identification number, which has to be indicated in the subject line of the email and sent to one of the following addresses:

  • Files4463@tuta.io
  • Files4463@protonmail.ch
  • Files4463@gmail.com

Unfortunately, this variant does not have a free decryptor, at least not yet. Nevertheless, we do not recommend paying the ransom as it's not clear whether the paid Matrix decryptor is reliable. 

Matrix virus ransom note

[RestorFile@tutanota.com] file extension virus. This Matrix ransomware version is almost identical to the previous one. Nevertheless, it has been developed in a more professional way as it uses a more complex debugging messaging and cipher commands. 

Nevertheless, it also renders RSA-2048 and AES-128 ciphers and targets personal files just like its predecessor. Upon encryption, locked files exhibit [RestorFile@tutanota.com] file extension. PC's desktops background is replaced by Matrix lock screen and the victim is represented with a ransom note named #Decrypt_Files_ReadMe#.rtf. The latter can be found not only on the desktop, but also each folder containing encrypted data. 

The victim is demanded to provide a unique ID number to get payment instructions. For this purpose, they have to write down an email message and send to RestorFile@tutanota.com, RestoreFile@protonmail.com, and RestoreFile@qq.com email addresses. 

The [RestorFile@tutanota.com] file extension is not decryptable for free. 

Matrix ransomware debugging messages

Matrix virus hides under fake FBI notice 

Receiving an urgent alert from the Federal Bureau of Investigation, National Security Agency or another legal institution is not a pleasant experience, as long it is genuine. Likewise, similar institutions inspire cyber villains to polish their hacking techniques.

The current version of Matrix malware frightens users into thinking that their computer and data have been locked due to the US law violation. The counterfeited messages claim that their devices have been blocked due to the detected content of child pornography and similar criminal activities.

It also refers to the Criminal Code to deceive users more. However, few affected netizens might check the referred article and find out the different content. Keep in mind that mentioned institutions do not urge you to pay any amount of money within a specified amount of them.

Matrix hackers expect you to remit the payment within 96 hours in order to escape life imprisonment sentence. It is not difficult to look through the deception since the crooks provide a Bitcoin address and thematrixhasyou9643@yahoo.com and cremreihanob1979@yandex.ru. 

Be vigilant when reviewing the spam folder. Do not open any email attachments before verifying the sender. Hackers often leave grammar mistakes and typos in such messages. Matrix hijack is performed with the assistance of JNwpM1mu.exe executable file. It can occupy a device via HEUR/QVM10.1.0000.Malware.Gen,  malicious_confidence_100% (D),TR/Crypt.Xpack.uhqit, and similar trojan horses. 

RIG exploit kit accelerates ransomware distribution 

Sadly, many computer users are not aware of ransomware menace so that they can become victims easily. Though spam emails remain the popular distribution method among Cerber and Locky authors, others enwrap their malware in the disguise of corrupted apps. BadRabbit virus illustrates this case.[5]

Therefore, make sure you pay attention to what sources and what programs you download from. Avoid installing software other than official sites. pay attention to the “publisher”  – it should indicate the name of the official company other than “unknown.”

Matrix virus elimination steps

Now that you know how ransomware spreads and how to avoid installing such viruses, you probably want to remove Matrix virus as soon as possible. The first question you should answer is whether you have a malware removal tool or not. If not, follow these Matrix removal guidelines to delete Matrix virus from the system for good. To eliminate it, you will need a good anti-malware software. Before you do it, reboot your PC using instructions provided below.

Now let's discuss the ransom part. First of all, if you're willing to pay it, do not delete the infection – do it afterward. However, we strongly recommend you not to pay the ransom. There are numerous reasons why it is not worth paying; there are insufficient possibilities that criminals will decide to give you the decryption key to unlock files[6].

Besides, if you paid, you would encourage scammers to keep going and creating more malware. This will cause the number of ransomware victims grow. Although it is not a direct way to fight with ransomware, it can help to lower the number of ransomware cases in general. If victims stopped paying ransoms, cyber criminals would no longer see a point to create them.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Matrix ransomware you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Matrix ransomware. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

To remove Matrix virus, follow these steps:

Remove Matrix using Safe Mode with Networking

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Matrix

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Matrix removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Matrix using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Matrix. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Matrix removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Matrix from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If files have been encrypted, you can try our suggested methods to recover them. However, we strongly advise you to create a backup of encrypted files to have an intact copy. Sometimes failure to decrypt files can completely destroy them!

If your files are encrypted by Matrix, you can use several methods to restore them:

Data Recovery Pro

 

If you want, you can use Data Recovery Pro to decrypt your files. You can find full instructions on how to use such tool below.

Find those Windows Previous Versions

Windows Previous Versions come in handy when the current data versions get corrupted. If you enabled System Restore function a while ago, you can try to recover your files now. Bear in mind that this method helps to fix files one by one, so if you want to restore a big number of files at once, this is not the method you should go for. 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Matrix and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions

References

Removal guides in other languages