What is Matrix Ransomware

Matrix Ransomware is very dangerous and wide-spread ransomware virus that encrypts user files with either symmetric or asymmetric cryptography using GNU Privacy Guard (GnuPG) open source encryption software. Initial version added .matrix or .MATRIX extensions to encrypted files. However, newer generations of Matrix Ransomware began to append following extensions (beginning from the latest discovered):

.PEDANT, .ITLOCK, .PLANT, .GMBN, .GRHAN, .SPCT, .THDA, .NOBAD, .GMAN, .EMAN, .CHE08, .KOK08, .FASTBOB, .NEWRAR, .KOK8, .CORE, .FOX, .ANN, .[RestorFile@tutanota.com], .b10cked, .[RestoreFile@qq.com].MTXLOCK, .pyongyan001@yahoo.com, _[RELOCK001@TUTA.IO], _[Linersmik@naver.com][Jinnyg@tutanota.com], .[files4463@tuta.io]

After finishing encryption process, Matrix Ransomware can create text files with following names: matrix-readme.rtf, Readme-Matrix.rtf, !OoopsYourFilesLocked!.rtf, #What-Happened-With-Files#.rtf, !ReadMe_To_Decrypt_Files!.rtf, #Decrypt_Files_ReadMe#.rtf, #README_ANN#.rtf, _!PEDANT_INFO!.rtf, etc. Example of the ransom note message:

Matrix Ransomware
We are realy sorry to inform you that ALL YOUR FILES WERE ENCRYPTED
by our automatic software. It became possible because of bad server security.
Please don't worry, we can help you to RESTORE your server to original
state and decrypt all your files quickly and safely!
Files are not broken!!!
Files were encrypted with AES-128+RSA-2048 crypto algorithms.
There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!
* Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!
* Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.
Please write us to the e-mail (write on English or use professional translator):
You have to send your message on each of our 3 emails due to the fact that the message may not reach their intended recipient for a variety of reasons!
In subject line write your personal ID:
[id] We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files.
* Please note that files must not contain any valuable information and their total size must be less than 5Mb.
Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.
We will definitely reach an agreement ;) !!!

Virus places this files in every folder with affected files. This text file contains instruction to pay the ransom, where malefactors encourage users to contact them via e-mails: PedantBack@protonmail.com, PedantBack@tutanota.com, PedantBack@india.com, bluetablet9643@yandex.ru, matrix9643@yahoo.com, redtablet9643@yahoo.com and many others. Ransom amount is between $500 and $1500 and must be paid in Bitcoins. Matrix Ransomware is installed on computers running Windows with the help of exploit kits on websites that display malicious and common advertising that target vulnerabilities in Internet Explorer (CVE-2016-0189) and Flash (CVE-2015-8651). Both of these vulnerabilities are aimed at visitors to these sites, using already unsupported and outdated versions of Internet Explorer and Flash Player. Matrix Ransomware has some bugs and did not encrypt all files, and this can be used to attempt decryption using free decryptors available, or using the file-recovery software. Please, note, that from time to time antivirus companies and individual security researchers and enthusiasts release full working or partially working decryptors for various kinds of ransomware. If you are not able to recover your files at the moment, keep them and wait for decryptor. Use this tutorial to remove Matrix Ransomware and decrypt .PEDANT, .ITLOCK, .SPCT or .PLANT files in Windows 10, Windows 8, Windows 7.

How Matrix Ransomware infected your PC

Matrix Ransomware spreads via email spam and malicious attachments, exploits (RIG EK and EITest), fake updates, repackaged and infected installers. Usually, attachments are DOC or XLS documents. Such documents contain built-in macros, that runs in the background when user opens the document. This macros downloads and runs main executable with random name. Since that moment Matrix starts encryption process. Antivirus may not catch this threat and we recommend you to use HitmanPro with Cryptoguard. This program can detect encryption process and stop it to prevent the loss of your files.

Download Matrix Ransomware Removal Tool

Download Removal Tool

To remove Matrix Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders and registry keys of Matrix Ransomware.

How to remove Matrix Ransomware manually

It is not recommended to remove Matrix Ransomware manually, for safer solution use Removal Tools instead.

Matrix Ransomware files:


Matrix Ransomware reg keys:

no information

How to decrypt and restore .PEDANT, .ITLOCK, .SPCT or .PLANT files

kaspersky Matrix Ransomware decryptor

Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .PEDANT, .ITLOCK, .SPCT or .PLANT files. Download it here:

Download RakhniDecryptor

There is no purpose to pay the ransom, because there is no guarantee you will receive the key, but you will put your bank credentials at risk.

If you are infected with Matrix Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. However, there is currently no automatic decryption tool for files encrypted by Matrix. To attempt to remove them you can do the following:

Use Stellar Phoenix Data Recovery Pro to restore .PEDANT, .ITLOCK, .SPCT or .PLANT files

  1. Download Stellar Phoenix Data Recovery Pro.
  2. Select location to scan for lost files and click Scan button.
  3. Wait until Quick and Deep scans finish.
  4. Preview found files and restore them.

Using Windows Previous Versions option:

  1. Right-click on infected file and choose Properties.
  2. Select Previous Versions tab.
  3. Choose particular version of the file and click Copy.
  4. To restore the selected file and replace the existing one, click on the Restore button.
  5. In case there is no items in the list choose alternative method.

Using Shadow Explorer:

  1. Download Shadow Explorer program.
  2. Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
  3. Select the drive and date that you want to restore from.
  4. Right-click on a folder name and select Export.
  5. In case there are no other dates in the list, choose alternative method.

If you are using Dropbox:

  1. Login to the DropBox website and go to the folder that contains encrypted files.
  2. Right-click on the encrypted file and select Previous Versions.
  3. Select the version of the file you wish to restore and click on the Restore button.

How to protect computer from viruses like Matrix Ransomware in future

1. Get special anti-ransomware software

Use ZoneAlarm Anti-Ransomware

Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.

Download ZoneAlarm Anti-Ransomware

2. Back up your files

onedrive backup

Regardless of success of protection against ransomware threats, you can save your files using simple online backup. Cloud services are quite fast and cheap nowadays. There is more sense using online backup, than creating physical drives, that can get infected and encrypted when connected to PC or get damaged from dropping or hitting. Windows 10 and 8/8.1 users can find pre-installed OneDrive backup solution from Microsoft. It is actually one of the best backup services on the market, and has reasonable pricing plans. Users of earlier versions can get acquainted with it here. Make sure to backup and sync most important files and folders in OneDrive.

3. Do not open spam e-mails and protect your mailbox

mailwasher pro

Malicious attachments to spam or phishing e-mails is most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications, and provides very high level of anti-spam protection.

Download MailWasher Pro
Previous articleHow to remove MacAppExtensions
Next articleHow to remove Planetary Ransomware and decrypt .mira, .yum, .neptune or .pluto files
James Kramer
Hello, I'm James. My website Bugsfighter.com, a culmination of a decade's journey in the realms of computer troubleshooting, software testing, and development. My mission here is to offer you comprehensive, yet user-friendly guides across a spectrum of topics in this niche. Should you encounter any challenges with the software or the methodologies I endorse, please know that I am readily accessible for assistance. For any inquiries or further communication, feel free to reach out through the 'Contacts' page. Your journey towards seamless computing starts here


Please enter your comment!
Please enter your name here