{
	"id": "6e43464c-b34b-49dc-b6c4-65b844ad52d5",
	"created_at": "2026-04-06T00:16:46.82087Z",
	"updated_at": "2026-04-10T03:24:39.762136Z",
	"deleted_at": null,
	"sha1_hash": "95e3169b00769cd22bb85a0911f049f1ea227799",
	"title": "Threat Assessment: Matrix Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 121150,
	"plain_text": "Threat Assessment: Matrix Ransomware\r\nBy Unit 42\r\nPublished: 2021-03-26 · Archived: 2026-04-05 21:29:22 UTC\r\nExecutive Summary\r\nMatrix is a ransomware family that was first identified publicly in December 2016. Over the years since its\r\ninception, it has primarily targeted small- to medium-sized organizations. As of 2019, it had been observed across\r\ngeographic locations such as the U.S., Belgium, Taiwan, Singapore, Germany, Brazil, Chile, South Africa, Canada\r\nand the UK. While initially leveraging tactics such as spam email campaigns, propagation via Windows shortcuts\r\nand the RIG exploit kit for distribution, the primary attack vector for the Matrix ransomware family shifted in\r\n2018 to brute forcing weak Remote Desktop Protocol (RDP) credentials. The shift to this attack methodology\r\nappears to be a recurring trend in similar targeted ransomware families such as Dharma, Ryuk and BitPaymer.\r\nMatrix Ransomware Overview\r\nhttps://unit42.paloaltonetworks.com/matrix-ransomware/\r\nPage 1 of 6\n\nFigure 1. Screenshot of Matrix ransom note\r\nWhen executed, Matrix encrypts user files and network shares, as well as deleting volume shadow copies and\r\ndisabling recovery options on the affected device. Like with many other ransomware variants, the ransom note\r\ndelivered by Matrix demands payment in Bitcoin. Instead of spreading through an organization, past Matrix\r\ninfections appear to have been more targeted in nature.\r\nMatrix is unique in that instead of delivering a more conventional ransom note that demands a fixed ransom\r\namount, the threat actors behind it ask victims to contact them directly and submit a small sample of about three to\r\nfive files for decryption. This is done so the threat actors can determine a variable ransom based on factors such as\r\nthe predicted value of the victim’s files or the current dollar value of Bitcoin.\r\nAs of 2020, Matrix ransomware has been seen appending the following file extensions on files:\r\n.MTXLOCK, .CORE, .ANN, .FOX, .KOK8, .KOK08, .NEWRAR, .FASTBOB, .FASTB, .EMAN, .THDA,\r\n.RAD, .EMAN50, .GMPF, .ATOM, .NOBAD, .TRU8, .FASTA, .JNSS, .FBK, .ITLOCK, .SPCT, .PRCP, .CHRB,\r\n.AL8G, .DEUS, .FG69, .JB88, .J91D, .S996, .[barboza40@yahoo.com], .[Linersmik@naver.com]\r\n[Jinnyg@tutanota.com], .[poluz@tutanota.com], .[Yourencrypt@tutanota.com], .[Files4463@tuta.io], .\r\nhttps://unit42.paloaltonetworks.com/matrix-ransomware/\r\nPage 2 of 6\n\n[RestorFile@tutanota.com], .[RestoreFile@qq.com], .[oken@tutanota.com], .[Vfemacry@mail-on.us], .\r\n[d3336666@tutanota.com], and .[Bitmine8@tutanota.com]\r\nIn addition, Matrix has other variants, including one dubbed “Fox Ransomware,” which adds the “.FOX”\r\nextension to encrypted files.\r\nMore information on prominent ransomware families can be found in the 2021 Unit 42 Ransomware Threat\r\nReport.\r\nCourses of Action\r\nThis section documents relevant tactics, techniques and procedures (TTPs) used with Matrix and maps them\r\ndirectly to Palo Alto Networks product(s) and service(s). It also further instructs customers on how to ensure their\r\ndevices are configured correctly.\r\nProduct / Service Course of Action\r\nInitial Access, Persistence, Lateral Movement\r\nThe below courses of action mitigate the following techniques:\r\nSpearphishing Attachment [T1566.001], Valid Accounts [T1078], Replication Through Removable\r\nMedia [T1091], Remote Desktop Protocol [T1021.001]\r\nNGFW\r\nSet up File Blocking\r\nEnsure that security policies restrict User-ID Agent traffic from crossing into untrusted\r\nzones\r\nEnsure application security policies exist when allowing traffic from an untrusted zone\r\nto a more trusted zone\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not exist\r\nEnsure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat\r\nIntelligence Sources Exists\r\nEnsure that User-ID is only enabled for internal trusted interfaces\r\nEnsure that 'Include/Exclude Networks' is used if User-ID is enabled\r\nEnsure that the User-ID Agent has minimal permissions if User-ID is enabled\r\nEnsure that the User-ID service account does not have interactive logon rights\r\nEnsure remote access capabilities for the User-ID service account are forbidden\r\nhttps://unit42.paloaltonetworks.com/matrix-ransomware/\r\nPage 3 of 6\n\nThreat Prevention†\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'\r\nEnsure a secure antivirus profile is applied to all relevant security policies\r\nEnsure that all zones have Zone Protection Profiles with all Reconnaissance Protection\r\nsettings enabled, tuned and set to appropriate actions\r\nWildFire†\r\nEnsure that WildFire file size upload limits are maximized\r\nEnsure forwarding is enabled for all applications and file types in WildFire file\r\nblocking profiles\r\nEnsure a WildFire Analysis profile is enabled for all security policies\r\nEnsure forwarding of decrypted content to WildFire is enabled\r\nEnsure all WildFire session information settings are enabled\r\nEnsure alerts are enabled for malicious files detected by WildFire\r\nEnsure 'WildFire Update Schedule' is set to download and install updates every minute\r\nCortex XDR\r\nConfigure Host Firewall Profile\r\nConfigure Malware Security Profile\r\nEnable Device Control\r\nCortex XSOAR\r\nDeploy XSOAR Playbook - Block Account Generic\r\nDeploy XSOAR Playbook - Access Investigation Playbook\r\nDeploy XSOAR Playbook - Impossible Traveler\r\nDeploy XSOAR Playbook - Phishing Investigation - Generic V2\r\nDeploy XSOAR Playbook - Endpoint Malware Investigation\r\nCredential Access\r\nThe below courses of action mitigate the following techniques:\r\nBrute Force [T1110]\r\nNGFW Customize the Action and Trigger Conditions for a Brute Force Signature\r\nCortex XSOAR Deploy XSOAR Playbook - Brute Force Investigation Playbook\r\nExecution, Defense Evasion, Persistence, Privilege Escalation, Impact\r\nThe below courses of action mitigate the following techniques:\r\nWindows Command Shell [T1059.003], Match Legitimate Name or Location [T1036.005], Services File\r\nhttps://unit42.paloaltonetworks.com/matrix-ransomware/\r\nPage 4 of 6\n\nPermissions Weakness [T1574.010], Disable or Modify Tools [T1562.001], Service Stop [T1489], Modify\r\nRegistry [T1112], Data Encrypted for Impact [T1486], Inhibit System Recovery [T1490]\r\nCortex XDR\r\nEnable Anti-Exploit Protection\r\nEnable Anti-Malware Protection\r\nConfigure Restrictions Security Profile\r\nConfigure Behavioral Threat Protection under the Malware Security Profile\r\nCortex XSOAR\r\nDeploy XSOAR Playbook - Ransomware Manual for incident response.\r\nDeploy XSOAR Playbook - Palo Alto Networks Endpoint Malware Investigation\r\nTable 1. Courses of Action for Matrix ransomware.\r\n†These capabilities are part of the NGFW security subscriptions service.\r\nConclusion\r\nWhile targeted ransomware attacks are not new, Matrix is a prime example of how threat actors can enter into the\r\npool of existing ransomware and cash out quickly by targeting low-hanging fruit. The ransom negotiation tactics\r\nused by the Matrix threat actors further amplifyies the dangerous impact that such an attack can have on its\r\nvictims, especially given the volatile state of cryptocurrency value today. Furthermore, this malware family’s shift\r\nin tactics to RDP exploitation, following a similar shift seen in other ransomware groups, serves to emphasize the\r\nneed for businesses to stay vigilant on current ransomware trends.\r\nPalo Alto Networks detects and prevents Matrix in the following ways:\r\nWildFire: All known samples are identified as malware.\r\nCortex XDR with:\r\nIindicators for Matrix.\r\nAnti-Ransomware Module to detect Matrix encryption behaviors.\r\nLocal Analysis detection to detect Matrix binaries.\r\nNext-Generation Firewalls: DNS Signatures detect the known command and control (C2) domains, which\r\nare also categorized as malware in URL Filtering.\r\nAutoFocus: Tracking related activity using the MatrixRansomware tag.\r\nAdditionally, Indicators of Compromise (IoCs) associated with Matrix are available on GitHub here, and have\r\nbeen published to the Unit 42 TAXII feed.\r\nAdditional Resources\r\nMatrix Ransomware Spreads to Other PCs Using Malicious Shortcuts\r\nMatrix has slowly evolved into a 'Swiss Army knife' of the ransomware world\r\nMatrix Ransomware Changes the Rules Again | How Much Are You Worth?\r\nhttps://unit42.paloaltonetworks.com/matrix-ransomware/\r\nPage 5 of 6\n\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/matrix-ransomware/\r\nhttps://unit42.paloaltonetworks.com/matrix-ransomware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/matrix-ransomware/"
	],
	"report_names": [
		"matrix-ransomware"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434606,
	"ts_updated_at": 1775791479,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/95e3169b00769cd22bb85a0911f049f1ea227799.pdf",
		"text": "https://archive.orkl.eu/95e3169b00769cd22bb85a0911f049f1ea227799.txt",
		"img": "https://archive.orkl.eu/95e3169b00769cd22bb85a0911f049f1ea227799.jpg"
	}
}