A new variant of the Matrix ransomware dubbed “Fox Ransomware” was discovered renaming encrypted files and appending the .FOX extension to the file name.
MalwareHunterTeam security researchers spotted the ransomware and noted that like its predecessor, the newest variant communicates a lot with its Command and Control server and also displays consoles that provide status updates on the encryption process, according to an Aug. 20 Bleeping Computer post.
Researchers also noted that although there currently isn’t a free way to decrypt files that fall victim to the malware, the ransomware uses a slow and exhaustive process to make sure every file is not open and available for encrypting, which makes it easier to detect.
“The good news is that since the ransomware tries so hard to close all file handles associated with the file it is trying to encrypt, the encryption process is very slow,” Bleeping Computer researchers said in the post. “This allows a user to potentially discover that they are infected before the process is fully completed.”
The ransomware is installed through computers running Remote Desktop Services and allows attackers to scan ranges of IP addresses to find open RDP services and then brute force the password. The attacker will then manually install the ransomware that displays various console windows that show the progress of the encryption of the computer.
In order to defend against infections, researchers recommend users have a reliable and tested backup of their data that can easily be restored in the event of an emergency and set up proper account policies lockout policies that help prevent brute force attacks.
In addition, basic cybersecurity hygiene practices of not opening attachments from unknown individuals, scanning attachments for infection before downloading them, keeping systems updated, and using strong passwords