How To Eliminate Matrix (Fake FBI) Ransomware And Decrypt Files

Matrix is a ransomware virus which encrypts your files and makes them impossible to open. It then demands for a BitCoin payment and gives a limited amount of time to do so.

This virus has been updated several times and comes back in different forms with each version. Currently it is known to change encrypted files extensions to .matrix, .MATRIX or .b10cked. The last extension is used when the ransomware displays a fake FBI warning.

We strongly discourage you from paying the ransom. Instead, you should remove the threat and then follow our file recovery guide to retrieve the encrypted files. We recommend using an automatic virus removal tool provided below as it will not only remove the ransomware but will also protect your computer in the future.


Recommended Method: Download Ransomware Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is Matrix (fake FBI warning) ransomware?

The ransomware received its name since the first versions used contact email addresses which included the word “Matrix“. It may also be called as “Malta” ransomware as an executable file with such name is used to infect your computer. However, lately it pivoted to scaring users with a fake FBI warning instead of displaying a simple ransom note. Extensions .matrix and .MATRIX belong to the earlier versions while the extension .b10cked shows that you have been infected with an updated virus.

Some versions change the encrypted file names completely and include encryption key in it (e.g. “sample.doc” becomes “3T7irdExQcX.id-D31FE624BF22D8AF.MATRIX“) while others simply append additional extension but leave the original name as well (e.g. “sample.doc” becomes “sample.doc.b10cked“).

Matrix ransomware does not provide a BitCoin address or a payment website. Instead, it lists several email addresses which you should contact for further instructions. If you contact the criminals you will receive a message saying that your files have been encrypted using RSA-2048 algorithm and you need to buy a decryption key immediately. Currently known email addresses associated with this virus are the following:

[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

There are several ransom notes associated with this virus. Here is one exmaple:

Attention! All your files was encrypted.
To decrypt the files, You have to should send the following code:
ID-E4ACADFF7C070445
to e-mail address: [email protected]
Then You will recieve all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.
If you still want to try to decrypt them by yourself please make a backup at first 
because the decryption will become impossible in case of any changes inside the files.
If you did not receive the answer from the aforecited email for more thon 24 heurs 
(and only in this case!), use the reserve e-mail address:
[email protected]

And here is another example, a text pretending to be a warning from FBI:

ALL YOUR FILES HAVE BEEN LOCKED!
This operating system and all of important data was locked due to the violation of the federal laws 
of the United States of America! (Article 1, Section 8, Clause 8; Article 202; Article 210 of the Criminal Code 
of U.S.A provides for a deprivation of liberty for four to twelve years.)
Following violations were detected: Your IP address was used to visit websites containing pornography, 
child pornography, zoophilia and child abuse. Your computer also contains video files with pornographic content, 
elements of violence and child pornography! This computer is aimed to stop your illegal activity. 
To unlock your files you have to pay the penalty! You have only 96 hours to pay the penalty, 
otherwise you will be arrested! You must pay the penalty through Bitcoin Wallet. 
To pay the penalty and unlock you data, you should send the following code: - to our agent e-mails: 
[email protected] or [email protected] You will receive all necessaryy instructions! 
HURRY UP OR YOU WILL BE ARRESTED!!!

The notes might have Russian or other language versions as well. Here are all currently known ransom note file names:

12345-MATRIX-README.RTF
Bl0cked-ReadMe.rtf
Readme-Matrix.rtf
WhatHappenedWithMyFiles.rtf

Here is a short summary of currently known virus updates (newest at the top):

  • April 4, 2017: the most recent version which pretends to be a warning from FBI and introduces .b10cked file extension.
  • April 2, 2017: a slight update from the previous version, the ransom note looks almost identical.
  • February 24, 2017: an update was launched and a file named “AAM Updates Notifier.exe” was used for infections. Some fixes were made to the file encryption part.
  • December 1, 2016: matrix ransomware was spotted by virus researchers for the first time.

The virus is distributed using various channels. In many cases it reaches the victims disguised as an important email attachment and infects the computer as soon as it is launched. Sometimes it is also bundled with other downloads from the internet and installs silently in the background. As soon as it manages to access your file system it starts encrypting your personal data and displays a ransom note after the process finishes. Therefore, if you think that you have just been infected by this ransomware and there are still unencrypted files, you should shut down your PC immediately to terminate the encryption process and salvage at least some important data.

Even though the criminals promise to provide you with a decryption key there is no guarantee that it will correctly restore your files or work at all. This way you can lose $500 – $1500 and still have infection present on your system. Therefore, we recommend removing the threat yourself instead of financing the ransomware creators.

We have an automatic removal tool listed above which will scan your system, detect and remove this and any other threats. It will also protect your computer so you could avoid similar problems in the future. We also have a manual removal guide for experienced Windows users. However, you are still strongly recommended to install an antivirus software afterwards if you choose this option.

Move on to file recovery guide only after you have successfully eliminated the threat from your PC. Otherwise the files might get encrypted again and you might cause even more damage.

Here are some screenshtots of Matrix / Fake FBI warning (b10cked) ransomware:

    


 Manual Removal Instructions:

NB: Bookmark this page in order to access it after you restart your computer while working on the removal process! You can also print it out or open on another device.

Editing important Windows files and settings can be risky. We recommend using the automatic removal tool for an easier removal process and in order to avoid any damage to your Windows operating system, since Matrix is a complicated and dangerous ransomware.

Do not skip any steps as otherwise the threat might come back again and cause more damage.

Step 1:

Find any processes that might be associated with the Matrix / FBI virus and terminate them.

Press CTRL + SHIFT + ESC at the same time to launch Windows Task Manager. You can also launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Go to Processes tab.

All currently running processes will be listed.

 

Right-click on each of the suspicious processes you find in the list and choose Open File Location.

Start by scanning these commonly infected processes:

svchost.exe
malta.exe
AAM Updates Notifier.exe

Also look for other randomly named .exe files.

Go to virustotal.com and upload the opened file for a scan.

If the scan shows that the file is dangerous, right-click on the process and choose End Process, then delete that file in the location you have just opened.

Repeat this until you have checked all suspicious processes.

Step 2:

Check your hosts file for any suspicious IPs.

Press and hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

Your hosts.ini file will open in Notepad. Delete any IPs that are not marked with an “#” in front of them except the “127.0.0.1 localhost” entry. Here is an example:

Step 3:

Remove suspicious programs from your startup config so they would not launch as soon as you boot your computer.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab and uncheck all suspicious entries.

The infected or fake startup items usually have “Unknown” listed as Manufacturer. However, sometimes they might pretend to be legitimate programs.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using virustotal.com if it looks suspicious but you are not sure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 4:

Clean up Windows temporary files as there are usually several Matrix ransomware files placed here.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them permanently by pressing SHIFT + DELETE.

Step 5:

Check for any recent changes in all the other important system files.

Matrix usually makes changes to important system files in order to stay undetected.

Hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

Do not delete anything here! Search for any recent changes (by “Date Modified”) in the files first. Only if you see that a file has just been changed scan it with virustotal.com. Remove only files marked as dangerous. Otherwise you might remove critical system files and Windows might stop working.

The virus might copy its files to this directory so you might find randomly named .exe, .dll, .bat, .vbs or other recently placed files.

Repeat this step with the following three directories while being very careful:

%LocalAppData%
%ProgramData%
%WinDir%

Remember that these directories contain many important system files! Be very careful!

Step 6:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Use the folder tree on the left to navigate to the following directory:

HKEY_USERS\S-1-5-21-3521364462-1692195860-978169631-1001\Software\Microsoft\Windows\CurrentVersion\Run\

If you find any registry entries that could be associated with Matrix (usually randomly named .exe or .vbs files), delete them by right-clicking on it and choosing Delete.

Then search for the ransomware entries by pressing CTRL + F and entering the file extension name in the search field. For example:

b10cked

Click Find Next.

Repeat search and delete all registry entries associated with the virus.

Then repeat the search with the following text:

matrix

 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

We recommend making a backup of the encrypted files on a separate external media in case you are not able to recover the files using our methods.

Check for Matrix ransomware file decrypter here: List of currently available decrypters. Currently none of the versions of this ransomware are known to be decryptable but some might be added in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by enabling recovery since the virus might have turned it off.

Hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

cmd

Click OK.

A comand prompt will open.

Copy the following:

bcdedit.exe /set {default} recoveryenabled yes

Right-click on the command prompt (black window) and select Paste.

Press Enter

Step 2:

Restore the old system settings using System Restore. The virus has changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 3:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The virus also tries to delete shadow copies so this step this might be unsuccessful as well. In such case, proceed to Step 4.

Step 4:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a Matrix decrypter to be created. New free decrypters for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.

After removing the virus

When you have finished removing the Matrix / FBI ransomware you should protect your computer by installing a good antivirus suite. This will prevent any further infections and fix the current vulnerabilities that have been used by the ransomware to infiltrate your system.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *