Full Report
Massachusetts-based MathWorks provided an update to customers on Monday after initially reporting outages on May 18, confirming that it experienced a ransomware attack that took down online applications and internal systems used by staff.
Analysis Summary
# Incident Report: MathWorks Ransomware Attack
## Executive Summary
MathWorks, the developer of MATLAB, experienced a ransomware attack beginning around May 18, 2025, that resulted in the outage of numerous IT systems and online applications. The company engaged cybersecurity experts and federal law enforcement to manage the incident, successfully restoring many critical services, though the investigation and remediation were ongoing as of May 27, 2025. The impact included disruptions to customer access, the company website, and internal operations.
## Incident Details
- Discovery Date: May 18, 2025 (When company initially reported outages)
- Incident Date: On or leading up to May 18, 2025
- Affected Organization: MathWorks (Developer of MATLAB)
- Sector: Software/Technology (Serving Scientific and Engineering communities)
- Geography: Headquarters in Massachusetts, US, with global offices.
## Timeline of Events
### Initial Access
- Date/Time: On or before May 18, 2025
- Vector: Not explicitly disclosed, assumed to be a successful ransomware deployment.
- Details: Attackers deployed ransomware across IT systems.
### Lateral Movement
- Details: Not detailed in the provided text, but implied by the widespread impact across "online applications and internal systems."
### Data Exfiltration/Impact
- Details: The primary impact was the operational disruption due to encrypted or disabled systems. No explicit mention of data exfiltration occurred, though it is a standard component of modern ransomware. Impacted services included: MATLAB Online, MATLAB Mobile, career page, cloud center, store, and file exchange.
### Detection & Response
- Date/Time: Outage reported May 18, 2025. MATLAB Online/Mobile restored on Friday (May 23rd, assuming news published May 27th). Update provided on Monday (May 26th) and Tuesday (May 27th).
- Details: Notified federal law enforcement. Engaged cybersecurity experts. Began bringing systems back online sequentially.
## Attack Methodology
- Initial Access: Ransomware deployment (Specific vector unknown).
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Not detailed.
- Collection: Not detailed.
- Exfiltration: Not explicitly confirmed, but standard ransomware tactic.
- Impact: Encryption/disabling of internal IT systems and online customer-facing applications.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: No explicit confirmation of external data exfiltration, though system compromise occurred.
- Operational: Significant disruption to customer access (MATLAB Online, Mobile, Store, File Exchange) and internal operations (staff systems).
- Reputational: Required public communication regarding service outages to millions of users globally.
## Indicators of Compromise
- No specific network artifacts, file hashes, or behavioral indicators were provided in the source text.
## Response Actions
- Containment measures: Not detailed, but implied by engaging cybersecurity experts.
- Eradication steps: In progress as of the report date.
- Recovery actions: Brought many systems back online, successfully restoring MATLAB Online and Mobile by Friday following the initial outage.
## Lessons Learned
- The incident highlights the significant operational risk posed by ransomware to organizations supporting critical scientific and engineering tools.
- The company acted quickly to involve external experts and federal law enforcement.
## Recommendations
- Prioritize comprehensive network segmentation to limit the potential lateral movement impact of future ransomware infections.
- Review and enhance endpoint detection and response capabilities to catch initial access attempts earlier.
- Ensure robust, offline/immutable backups are available to accelerate recovery from encryption-based attacks.