Ransomware Research
Matrix Ransomware
Matrix is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on November 1, 2016, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Malta.
Quick Facts
- Ransomware Family
- Matrix
- First Seen
- November 1, 2016
- Known Aliases
- Malta
How Matrix Ransomware Works
Targeted Files
https://www.hybrid-analysis.com/sample/93c8f48614215693053dbf9b0795c29b4e048978f1271b86b08f3c8353e5be8c?environmentId=100 https://www.hybrid-analysis.com/sample/924b8baed15f41d4c78beb28cda7a9334b23fd12d1de30f2bd596bf4d8cc32f7?environmentId=100 https://app.any.run/tasks/019aa957-3277-4a5c-840c-15578d94f152/ https://app.any.run/tasks/c0db2176-29cd-40d9-ba43-2c1ce19f172e/ https://app.any.run/tasks/949fb065-0629-417e-b1de-cee83524684e/ Filename pattern -> [KOK08@QQ.COM].1DfIa992-gNYr4yXh.KOK08
File Encryption Patterns
Matrix modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..[barboza40@yahoo.com]
..[JUCHE001@TUTANOTA.COM]
..[Yourencrypt@tutanota.com]
..FG69
..matrix
..b10cked
..pyongyan001@yahoo.com
._[RELOCK001@TUTA.IO]
..[files4463@tuta.io]
..[RestorFile@tutanota.com]
..[oken@tutanota.com]
..MTXLOCK
..ATOM
..ANN
..CORE
..FOX
..KOK8
..NEWRAR
..FASTBOB
..FASTB
..KOK08
..ITLOCK
..EMAN
..GMAN
..EMAN50
..NOBAD
..THDA
..GMPF
..SPCT
..GRHAN
..GMBN
..PLANT
..PEDANT
..GBLOCK
..SBLOCK
..SCR
..CRYPTO
..NGSC
..PRCP
..enc
..RAD
..[Kromber@tutanota.com]
..QH24
..MDRL
..YDHM
..DECP
..ABAT
..YDH3
..PSAFE
..DRSC
..MT88
..TMS5
..BDDY
..CHRB
..BWNG
..FDFK
..MKES
..ATKL
..SNTG
..AG88G
..AL8P
..AL8G
..JB78
..RE78P
..MH24
..AB89
..FDFK22
..BG85
..J91D
..S996
..AW46
..DEUS
..TG33
..M88P
..BBGT
..TRU8
..JDPR
..MMTA
..CTRM
..FRFO
..[Bitmine8@tutanota.com]
..[RestoreFile@qq.com]
..[DATSUN987@TUTANOTA.COM]
..[d3336666@tutanota.com]
..[Vfemacry@mail-on.us]
..FASTA
..[poluz@tutanota.com]
Prefixes added to encrypted files:
[Citrteam@yahoo.com].
[KOK08@QQ.COM]
[FastBob@protonmail.com]
[FridaFarko@yahoo.com]
[maihoandcryp@qq.com]
Ransom Note and Payment Demands
After encrypting files, Matrix displays ransom notes demanding payment for file recovery:
Ransom message:
notes/note.txt
Note locations:
Login
Ransom message:
notes/note1.txt
Note locations:
Login
Readme-Matrix.rtf
/^WhatHappenedWithMyFiles[0-9]{0,2}\.rtf$/
Ransom message:
notes/WhatHappenedWithMyFiles22.rtf
Note locations:
Desktop
Bl0cked-ReadMe.rtf
!WhatHappenedWithMyFiles!.rtf
Ransom message:
notes/!WhatHappenedWithMyFiles!.rtf
Note locations:
EveryFolder
#ANN_README#.rtf
Ransom message:
notes/#ANN_README#.rtf
Note locations:
EveryFolder
!README_TRU8!.rtf
Ransom message:
notes/!README_TRU8!.rtf
Note locations:
EveryFolder
!What-wrong-with-files!.rtf
Ransom message:
notes/!What-wrong-with-files!.rtf
Note locations:
EveryFolder
#README_FASTA#.rtf
Ransom message:
notes/#README_FASTA#.rtf
Note locations:
EveryFolder
T0_Rest0re_Files_Read_This.rtf
Ransom message:
notes/T0_Rest0re_Files_Read_This.rtf
Note locations:
EveryFolder
ReadMe_T0_Rec0ver_Files.rtf
Ransom message:
notes/ReadMe_T0_Rec0ver_Files.rtf
Note locations:
EveryFolder
#KOK08_README#.rtf
Ransom message:
notes/#KOK08_README#.rtf
Note locations:
EveryFolder
!README_FASTBOB!.rtf
Ransom message:
notes/!README_FASTBOB!.rtf
Note locations:
EveryFolder
!README_KOK08!.rtf
Ransom message:
notes/!README_KOK08!.rtf
Note locations:
EveryFolder
#ReadMe_T0_Decrypt_Files.rtf
Ransom message:
notes/#ReadMe_T0_Decrypt_Files.rtf
Note locations:
EveryFolder
What_Happened_With_Files.rtf
Ransom message:
notes/What_Happened_With_Files.rtf
Note locations:
EveryFolder
WhatHappenedWithFiles.rtf
Ransom message:
notes/WhatHappenedWithFiles.rtf
Note locations:
EveryFolder
#NOBAD_README#.rtf
Ransom message:
notes/#NOBAD_README#.rtf
Note locations:
EveryFolder
#How_to_return_files#.rtf
Ransom message:
notes/#How_to_return_files#.rtf
Note locations:
EveryFolder
!README_CHRB!.rtf
Ransom message:
notes/!README_CHRB!.rtf
Note locations:
EveryFolder
#_#FASTBOB_README#_#.rtf
Ransom message:
notes/#_#FASTBOB_README#_#.rtf
Note locations:
EveryFolder
FG69_README.rtf
Ransom message:
notes/FG69_README.rtf
Note locations:
EveryFolder
CTRM_INFO.rtf
Ransom message:
notes/CTRM_INFO.rtf
Note locations:
EveryFolder
/^Read_Me_T0_Rest0re_Files\d{1,2}\.rtf$/
Ransom message:
notes/Read_Me_T0_Rest0re_Files45.rtf
Note locations:
Desktop
#_#Where-is-my-files#_#!.rtf
Ransom message:
notes/#_#Where-is-my-files#_#!.rtf
Note locations:
EveryFolder
#_#WhatWrongWithMyFiles#_#.rtf
Ransom message:
notes/#_#WhatWrongWithMyFiles#_#.rtf
Note locations:
EveryFolder
FRFO_INFO.rtf
Ransom message:
notes/FRFO_INFO.rtf
Note locations:
EveryFolder
!OoopsYourFilesLocked!.rtf
#What-Happened-With-Files#.rtf
T0_Rec0ver_Files_ReadME.rtf
Ransom message:
notes/T0_Rec0ver_Files_ReadME.rtf
#NEWRAR_README#.rtf
Ransom message:
notes/#NEWRAR_README#.rtf
Note locations:
EveryFolder
!ReadMe_To_Decrypt_Files!.rtf
Ransom message:
notes/!ReadMe_To_Decrypt_Files!.rtf
Note locations:
EveryFolder
#Decrypt_Files_ReadMe#.rtf
Ransom message:
notes/#Decrypt_Files_ReadMe#.rtf
Note locations:
EveryFolder
!ReadMe_How_To_Decrypt_Files!.rtf
Ransom message:
notes/!ReadMe_How_To_Decrypt_Files!.rtf
Note locations:
EveryFolder
#What_Wrong_With_Files#.rtf
Ransom message:
notes/#What_Wrong_With_Files#.rtf
Note locations:
EveryFolder
!README_ATOM!.rtf
Ransom message:
notes/!README_ATOM!.rtf
Note locations:
EveryFolder
!T0_Rest0re_Y0ur_FilEs_ReadMe!.rtf
Ransom message:
notes/!T0_Rest0re_Y0ur_FilEs_ReadMe!.rtf
Note locations:
EveryFolder
!README_ITLOCK!.rtf
Ransom message:
notes/!README_ITLOCK!.rtf
Note locations:
EveryFolder
Read_This_To_Rest0re_Files.rtf
Ransom message:
notes/Read_This_To_Rest0re_Files.rtf
Note locations:
EveryFolder
#README_ANN#.rtf
/(#|!)?\w+_README(#|!)?\.rtf\b/
Ransom message:
notes/#CORE_README#.rtf
Note locations:
EveryFolder
/(#|!)?(README|Readme)_[A-Z0-9]{4,6}(#|!)?\.rtf\b/
Ransom message:
notes/#README_EMAN#.rtf
Note locations:
EveryFolder
/^_?!?[A-Z0-9]{4,6}_INFO!?\.rtf\b/
!README PLANT!.rtf
#_#RAD_README#_#.rtf
Ransom message:
notes/#_#RAD_README#_#.rtf
Note locations:
EveryFolder
#_#ReadMe#_#.rtf
#How-to-return-files#.rtf
Ransom message:
notes/#How-to-return-files#.rtf
Note locations:
EveryFolder
Technical Indicators
Associated Executable Files
The following executable files are associated with Matrix ransomware:
Neo.exe
1.exe
sample.bin
Roaming.exe
AAM Updates Notifier
AAM Updates Notifier.exe
FlashPlayer.exe
votd6frQ.exe
1p2G6c7n.exe
SRCV7tcT.exe
ZUHKOy3b.exe
l4gr9gwv.exe
Hdv3TFk8.exe
fGLbFO2G.exe
dcUlriqe.exe
7O0tvLaT.exe
2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe
variant.exe
EITest-Rig-EK-payload-matrix-ransomware-variant.exe
2017-04-03-eitest-rig-ek-payload-matrix-ransomware-variant.exe
OB4vMg6S.exe
JPyY9UbY.exe
matrix-ransomware-variant.exe
lkcagzj9.exe
jGeBmawt.exe
erzSKL3S.exe
Dijamikaji ni mocisorufi hihenoponu gayo mupo
OmdpDiJ1.exe
EK2xfZMr.exe
FILE_13.2
1q0NOiyA.exe
get.phpyCZPw.exe
bzQVjoCM.exe
GE8fpQtM.exe
setup.exe
myfile.exe
install.exe
NWQN5bI6.exe
FoxRansomware (3).exe
NWN2bpww.exe
NWiTZ8Bk.exe
NWSq4AON.exe
NWlQjJJX.exe
NWWBEFLC.exe
NW9AZSCw.exe
0b03bf1c7b596a862978999ee.exe
NW3kQoea.exe
NWsDaeki.exe
NWLlSeOR.exe
NWIFn2ys.exe
NW0V3MsI.exe
NWSEvUER.exe
NWkcsyHc.exe
569.json
2018-09-25 Matrix.exe
NWMtEi9n.exe
NWGDH8VR.exe
NWBa0FMG.exe
nwovkcyl.exe
drprov.dll
NWQxqJHm.exe
NWGLLBwj.exe
NWmVNXTd.exe
svhost.exe
Matrix (2).exe
nwzjnwcl.exe
cary.exe
NWUgfxIg.exe
sden.exe
m.exe
NWXfX7EK.exe
NWtykZIN.exe
NWazChGA.exe
NWGHCSD4.exe
bwng.exe
NWjmtMjw.exe
ab89.exe
NWGUQsM6.exe
NWPBholE.exe
bbgt.exe
NWsZDRC8.exe
new_jdpr.exe
Decrypt_new.exe
NWF7WOSl.exe
kok22.exe
fg69.exe
Elastio Can Help You
Don't let Matrix ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This Matrix ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Matrix.
Last updated: July 30, 2025