MathWorks, the company behind MATLAB and Simulink, has confirmed a ransomware attack is responsible for disrupting both its customer-facing and internal systems. The incident began on May 18, leading to the unavailability of several online services, including the Cloud Center, File Exchange, License Center, and the MathWorks Store. The company promptly notified federal law enforcement and has been working to restore affected services.
By May 21, MathWorks had reinstated multi-factor authentication (MFA) and single sign-on (SSO) functionalities, allowing many users to regain access to their accounts. However, some users continued to face issues, such as difficulties in creating new accounts or logging in, particularly if they hadn't accessed their accounts since October 2024.
As of now, MathWorks has not disclosed details about the specific ransomware group responsible for the attack or whether any customer data was compromised. No ransomware group has publicly claimed responsibility, leaving questions about whether a ransom was paid or negotiations are ongoing.
MathWorks continues to work on restoring full functionality to its services and has committed to providing updates as more information becomes available. Customers are advised to monitor the company's official channels for the latest developments.
Source: Bleeping Computer
The MathWorks incident comes shortly after another software primarily used by schools and school boards, PowerSchool, was compromised by ransomware actors. In both cases, attackers disrupted access to core services that are essential to their respective user bases—MathWorks users lost access to tools like the Cloud Center and License Manager, while PowerSchool clients were unable to use key systems for managing student information, grades, and communications. These outages caused significant operational setbacks for educational institutions and technical organizations alike, underlining how ransomware campaigns increasingly target software vendors that serve as critical hubs for wider networks.
PowerSchool ultimately acknowledged paying a ransom to the attackers, who initially promised to delete the stolen data. However, the threat actors later re-extorted PowerSchool’s clients—including school districts and education boards—by threatening to leak or sell the same stolen information. Although MathWorks has not disclosed whether customer data was accessed, the nature of the attack and the absence of a ransomware group taking credit leaves open the possibility of ongoing risks, including delayed data-related disclosures or silent exploitation.
Ultimately, these cases illustrate a common pattern in modern ransomware operations: threat actors increasingly targeting service providers with deep integrations into client ecosystems, maximizing disruption and extortion leverage. They also show how paying ransoms doesn’t guarantee data safety, and how even sophisticated organizations with presumably strong cybersecurity controls can fall victim. These parallels highlight the need for continuous vigilance, robust incident response plans, and sector-specific resilience strategies.
Field Effect’s Security Intelligence professionals constantly monitor for threats emanating from breaches like that suffered by MathWorks. Field Effect MDR Complete users will be automatically notified if any of their personal information is disclosed as a result of this breach and are encouraged to review any related AROs and/or monthly dark web monitoring reports via the Field Effect portal as soon as possible.
To counter the threat posed by leaked credentials and other sensitive and personal information, Field Effect strongly encourages organizations to implement a dark web monitoring capability.
Related Articles