Ransomware Research
Matrix Ransomware
Matrix is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on November 1, 2016, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Malta.
Quick Facts
- Ransomware Family
- Matrix
- First Seen
- November 1, 2016
- Known Aliases
- Malta
How Matrix Ransomware Works
Targeted Files
https://www.hybrid-analysis.com/sample/93c8f48614215693053dbf9b0795c29b4e048978f1271b86b08f3c8353e5be8c?environmentId=100 https://www.hybrid-analysis.com/sample/924b8baed15f41d4c78beb28cda7a9334b23fd12d1de30f2bd596bf4d8cc32f7?environmentId=100 https://app.any.run/tasks/019aa957-3277-4a5c-840c-15578d94f152/ https://app.any.run/tasks/c0db2176-29cd-40d9-ba43-2c1ce19f172e/ https://app.any.run/tasks/949fb065-0629-417e-b1de-cee83524684e/ Filename pattern -> [KOK08@QQ.COM].1DfIa992-gNYr4yXh.KOK08
File Encryption Patterns
Matrix modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..[barboza40@yahoo.com]..[JUCHE001@TUTANOTA.COM]..[Yourencrypt@tutanota.com]..FG69..matrix..b10cked..pyongyan001@yahoo.com._[RELOCK001@TUTA.IO]..[files4463@tuta.io]..[RestorFile@tutanota.com]..[oken@tutanota.com]..MTXLOCK..ATOM..ANN..CORE..FOX..KOK8..NEWRAR..FASTBOB..FASTB..KOK08..ITLOCK..EMAN..GMAN..EMAN50..NOBAD..THDA..GMPF..SPCT..GRHAN..GMBN..PLANT..PEDANT..GBLOCK..SBLOCK..SCR..CRYPTO..NGSC..PRCP..enc..RAD..[Kromber@tutanota.com]..QH24..MDRL..YDHM..DECP..ABAT..YDH3..PSAFE..DRSC..MT88..TMS5..BDDY..CHRB..BWNG..FDFK..MKES..ATKL..SNTG..AG88G..AL8P..AL8G..JB78..RE78P..MH24..AB89..FDFK22..BG85..J91D..S996..AW46..DEUS..TG33..M88P..BBGT..TRU8..JDPR..MMTA..CTRM..FRFO..[Bitmine8@tutanota.com]..[RestoreFile@qq.com]..[DATSUN987@TUTANOTA.COM]..[d3336666@tutanota.com]..[Vfemacry@mail-on.us]..FASTA..[poluz@tutanota.com]Prefixes added to encrypted files:
[Citrteam@yahoo.com].[KOK08@QQ.COM][FastBob@protonmail.com][FridaFarko@yahoo.com][maihoandcryp@qq.com]Ransom Note and Payment Demands
After encrypting files, Matrix displays ransom notes demanding payment for file recovery:
Ransom message:
notes/note.txt
Note locations:
LoginRansom message:
notes/note1.txt
Note locations:
LoginReadme-Matrix.rtf/^WhatHappenedWithMyFiles[0-9]{0,2}\.rtf$/Ransom message:
notes/WhatHappenedWithMyFiles22.rtf
Note locations:
DesktopBl0cked-ReadMe.rtf!WhatHappenedWithMyFiles!.rtfRansom message:
notes/!WhatHappenedWithMyFiles!.rtf
Note locations:
EveryFolder#ANN_README#.rtfRansom message:
notes/#ANN_README#.rtf
Note locations:
EveryFolder!README_TRU8!.rtfRansom message:
notes/!README_TRU8!.rtf
Note locations:
EveryFolder!What-wrong-with-files!.rtfRansom message:
notes/!What-wrong-with-files!.rtf
Note locations:
EveryFolder#README_FASTA#.rtfRansom message:
notes/#README_FASTA#.rtf
Note locations:
EveryFolderT0_Rest0re_Files_Read_This.rtfRansom message:
notes/T0_Rest0re_Files_Read_This.rtf
Note locations:
EveryFolderReadMe_T0_Rec0ver_Files.rtfRansom message:
notes/ReadMe_T0_Rec0ver_Files.rtf
Note locations:
EveryFolder#KOK08_README#.rtfRansom message:
notes/#KOK08_README#.rtf
Note locations:
EveryFolder!README_FASTBOB!.rtfRansom message:
notes/!README_FASTBOB!.rtf
Note locations:
EveryFolder!README_KOK08!.rtfRansom message:
notes/!README_KOK08!.rtf
Note locations:
EveryFolder#ReadMe_T0_Decrypt_Files.rtfRansom message:
notes/#ReadMe_T0_Decrypt_Files.rtf
Note locations:
EveryFolderWhat_Happened_With_Files.rtfRansom message:
notes/What_Happened_With_Files.rtf
Note locations:
EveryFolderWhatHappenedWithFiles.rtfRansom message:
notes/WhatHappenedWithFiles.rtf
Note locations:
EveryFolder#NOBAD_README#.rtfRansom message:
notes/#NOBAD_README#.rtf
Note locations:
EveryFolder#How_to_return_files#.rtfRansom message:
notes/#How_to_return_files#.rtf
Note locations:
EveryFolder!README_CHRB!.rtfRansom message:
notes/!README_CHRB!.rtf
Note locations:
EveryFolder#_#FASTBOB_README#_#.rtfRansom message:
notes/#_#FASTBOB_README#_#.rtf
Note locations:
EveryFolderFG69_README.rtfRansom message:
notes/FG69_README.rtf
Note locations:
EveryFolderCTRM_INFO.rtfRansom message:
notes/CTRM_INFO.rtf
Note locations:
EveryFolder/^Read_Me_T0_Rest0re_Files\d{1,2}\.rtf$/Ransom message:
notes/Read_Me_T0_Rest0re_Files45.rtf
Note locations:
Desktop#_#Where-is-my-files#_#!.rtfRansom message:
notes/#_#Where-is-my-files#_#!.rtf
Note locations:
EveryFolder#_#WhatWrongWithMyFiles#_#.rtfRansom message:
notes/#_#WhatWrongWithMyFiles#_#.rtf
Note locations:
EveryFolderFRFO_INFO.rtfRansom message:
notes/FRFO_INFO.rtf
Note locations:
EveryFolder!OoopsYourFilesLocked!.rtf#What-Happened-With-Files#.rtfT0_Rec0ver_Files_ReadME.rtfRansom message:
notes/T0_Rec0ver_Files_ReadME.rtf
#NEWRAR_README#.rtfRansom message:
notes/#NEWRAR_README#.rtf
Note locations:
EveryFolder!ReadMe_To_Decrypt_Files!.rtfRansom message:
notes/!ReadMe_To_Decrypt_Files!.rtf
Note locations:
EveryFolder#Decrypt_Files_ReadMe#.rtfRansom message:
notes/#Decrypt_Files_ReadMe#.rtf
Note locations:
EveryFolder!ReadMe_How_To_Decrypt_Files!.rtfRansom message:
notes/!ReadMe_How_To_Decrypt_Files!.rtf
Note locations:
EveryFolder#What_Wrong_With_Files#.rtfRansom message:
notes/#What_Wrong_With_Files#.rtf
Note locations:
EveryFolder!README_ATOM!.rtfRansom message:
notes/!README_ATOM!.rtf
Note locations:
EveryFolder!T0_Rest0re_Y0ur_FilEs_ReadMe!.rtfRansom message:
notes/!T0_Rest0re_Y0ur_FilEs_ReadMe!.rtf
Note locations:
EveryFolder!README_ITLOCK!.rtfRansom message:
notes/!README_ITLOCK!.rtf
Note locations:
EveryFolderRead_This_To_Rest0re_Files.rtfRansom message:
notes/Read_This_To_Rest0re_Files.rtf
Note locations:
EveryFolder#README_ANN#.rtf/(#|!)?\w+_README(#|!)?\.rtf\b/Ransom message:
notes/#CORE_README#.rtf
Note locations:
EveryFolder/(#|!)?(README|Readme)_[A-Z0-9]{4,6}(#|!)?\.rtf\b/Ransom message:
notes/#README_EMAN#.rtf
Note locations:
EveryFolder/^_?!?[A-Z0-9]{4,6}_INFO!?\.rtf\b/!README PLANT!.rtf#_#RAD_README#_#.rtfRansom message:
notes/#_#RAD_README#_#.rtf
Note locations:
EveryFolder#_#ReadMe#_#.rtf#How-to-return-files#.rtfRansom message:
notes/#How-to-return-files#.rtf
Note locations:
EveryFolderTechnical Indicators
Associated Executable Files
The following executable files are associated with Matrix ransomware:
Neo.exe1.exesample.binRoaming.exeAAM Updates NotifierAAM Updates Notifier.exeFlashPlayer.exevotd6frQ.exe1p2G6c7n.exeSRCV7tcT.exeZUHKOy3b.exel4gr9gwv.exeHdv3TFk8.exefGLbFO2G.exedcUlriqe.exe7O0tvLaT.exe2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exevariant.exeEITest-Rig-EK-payload-matrix-ransomware-variant.exe2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exeOB4vMg6S.exeJPyY9UbY.exematrix-ransomware-variant.exelkcagzj9.exejGeBmawt.exeerzSKL3S.exeDijamikaji ni mocisorufi hihenoponu gayo mupoOmdpDiJ1.exeEK2xfZMr.exeFILE_13.21q0NOiyA.exeget.phpyCZPw.exebzQVjoCM.exeGE8fpQtM.exesetup.exemyfile.exeinstall.exeNWQN5bI6.exeFoxRansomware (3).exeNWN2bpww.exeNWiTZ8Bk.exeNWSq4AON.exeNWlQjJJX.exeNWWBEFLC.exeNW9AZSCw.exe0b03bf1c7b596a862978999ee.exeNW3kQoea.exeNWsDaeki.exeNWLlSeOR.exeNWIFn2ys.exeNW0V3MsI.exeNWSEvUER.exeNWkcsyHc.exe569.json2018-09-25 Matrix.exeNWMtEi9n.exeNWGDH8VR.exeNWBa0FMG.exenwovkcyl.exedrprov.dllNWQxqJHm.exeNWGLLBwj.exeNWmVNXTd.exesvhost.exeMatrix (2).exenwzjnwcl.execary.exeNWUgfxIg.exesden.exem.exeNWXfX7EK.exeNWtykZIN.exeNWazChGA.exeNWGHCSD4.exebwng.exeNWjmtMjw.exeab89.exeNWGUQsM6.exeNWPBholE.exebbgt.exeNWsZDRC8.exenew_jdpr.exeDecrypt_new.exeNWF7WOSl.exekok22.exefg69.exe
Elastio Can Help You
Don't let Matrix ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This Matrix ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Matrix.
Last updated: July 30, 2025