diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 019d39e..0317102 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -2821,15 +2821,20 @@
         "refs": [
           "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-2nd-2016-screenlockers-kangaroo-the-sfmta-and-more/",
           "https://id-ransomware.blogspot.co.il/2016/12/matrix-ransomware.html",
-          "https://twitter.com/rommeljoven17/status/804251901529231360"
+          "https://twitter.com/rommeljoven17/status/804251901529231360",
+          "https://www.bleepingcomputer.com/news/security/new-matrix-ransomware-variants-installed-via-hacked-remote-desktop-services/"
         ],
         "ransomnotes": [
           "https://4.bp.blogspot.com/-RGHgroHt5cU/WEUWnFBn2hI/AAAAAAAACYA/zwSf7rmfWdo4ESQ8kjwj6mJrfzL2V22mgCLcB/s1600/note-eng.png",
-          "[5 numbers]-MATRIX-README.RTF"
+          "[5 numbers]-MATRIX-README.RTF",
+          "!ReadMe_To_Decrypt_Files!.rtf",
+          "#Decrypt_Files_ReadMe#.rtf"
         ],
         "encryption": "AES and RSA",
         "extensions": [
-          ".MATRIX"
+          ".MATRIX",
+          ".[Files4463@tuta.io]",
+          ".[RestorFile@tutanota.com]"
         ],
         "date": "December 2016"
       },