Full Report
MathWorks, a leading developer of mathematical simulation and computing software, revealed that a ransomware gang stole the data of over 10,000 people after breaching its network in April. [...]
Analysis Summary
# Incident Report: MathWorks Ransomware Attack and Data Exfiltration
## Executive Summary
MathWorks, the developer of MATLAB, suffered a ransomware attack in April 2025, leading to significant service disruptions for staff and customers. The attackers successfully exfiltrated personal data belonging to 10,476 individuals, including names, dates of birth, addresses, and SSNs. While the company confirmed the ransomware event and service outages, specific details regarding the attacking group and defense remediation remain undisclosed.
## Incident Details
- **Discovery Date:** May 18, 2025
- **Incident Date:** April 2025 (Attack began)
- **Affected Organization:** MathWorks (Developer of MATLAB and Simulink)
- **Sector:** Software/Technology (Mathematical Simulation and Computing)
- **Geography:** Headquarters in Natick, Massachusetts, USA; global operations.
## Timeline of Events
### Initial Access
- **Date/Time:** April 2025 (exact start unknown, breach active prior to May 18)
- **Vector:** Not explicitly disclosed, attributed to a ransomware gang.
- **Details:** Attackers gained access to MathWorks' network, leading to service disruptions starting around May 27.
### Lateral Movement
- Details regarding the lateral movement phase are not public, but the scope implies successful post-exploitation activity to access and exfiltrate sensitive data.
### Data Exfiltration/Impact
- **Date/Time:** Sometime between the initial access (April 2025) and the discovery (May 18, 2025).
- **Details:** The attackers stole documents containing the personal information of 10,476 individuals. Affected data included names, addresses, dates of birth, Social Security Numbers, and/or other non-U.S. national identification numbers.
### Detection & Response
- **Detection:** Discovered on May 18, 2025, more than one month after initial compromise.
- **Response actions taken:** The company disclosed the attack on May 27, linking it to service outages. Notifications were filed with state Attorneys General offices (Maine and Massachusetts).
## Attack Methodology
- **Initial Access:** Unknown/Undisclosed.
- **Persistence:** Unknown/Undisclosed.
- **Privilege Escalation:** Unknown/Undisclosed.
- **Defense Evasion:** Unknown/Undisclosed, as the attack was active for over a month before discovery.
- **Credential Access:** Implied, necessary to access customer/employee data and deploy ransomware components.
- **Discovery:** Unknown/Undisclosed.
- **Lateral Movement:** Unknown/Undisclosed.
- **Collection:** Stole documents containing PII/sensitive identity data.
- **Exfiltration:** Exfiltration of data occurred prior to the May 27 service disruption announcement.
- **Impact:** Deployment of ransomware resulting in service outages and data theft.
## Impact Assessment
- **Financial:** Costs associated with remediation, investigation, and notification expenses are likely significant, though not quantified in the report.
- **Data Breach:** Data of 10,476 individuals compromised, including highly sensitive PII (SSNs, DOBs, addresses).
- **Operational:** Significant disruption to critical services including MFA, account SSO, the MathWorks cloud center, file exchange, license center, and the online store.
- **Reputational:** Negative impact stemming from a prolonged breach (compromise over a month before detection) and the theft of highly sensitive customer/employee data.
## Indicators of Compromise
*Note: No specific, actionable IoCs were provided in the summary article.*
- **Network indicators:** Undisclosed.
- **File indicators:** Undisclosed.
- **Behavioral indicators:** Ransomware activity observed leading to service disruption and data exfiltration in April/May 2025.
## Response Actions
- **Containment:** Not detailed, but service outages suggest active containment and isolation efforts were underway around May 27.
- **Eradication:** Not detailed.
- **Recovery:** Services (MFA, SSO, online store, etc.) were being restored following the May 27 disclosure. Regulatory notifications were initiated.
## Lessons Learned
- The significant detection delay (over one month between compromise and discovery) indicates critical gaps in perimeter monitoring and internal threat detection capabilities.
- The attack resulted in the confirmed exfiltration of sensitive PII, highlighting the necessity of robust data access controls, especially for services supporting customer/employee identity management.
- Resilience measures for critical enterprise services (like MFA and SSO) failed or were severely impacted, needing reinforcement against ransomware strains.
## Recommendations
- **Enhance Detection Capabilities:** Implement advanced EDR/XDR solutions with enhanced behavior analytics to reduce the dwell time from weeks/months to hours.
- **Strengthen Identity Security:** Review and harden MFA implementation across all critical systems; implement zero-trust principles for accessing data repositories.
- **Review Network Segmentation:** Ensure strong segmentation between customer-facing services and core internal operational/data storage environments to limit lateral movement post-breach.
- **Data Minimization:** Conduct an immediate audit to determine if the company retains SSNs or PII beyond regulatory necessity, and establish deletion protocols for unnecessary sensitive data.