What’s Cephalus?
Cephalus is a comparatively new ransomware operation that emerged in mid-2025, and has already been linked to a wave of high-profile information leaks.
Like many different ransomware assaults, Cephalus not solely encrypts but in addition steals delicate information – with victims named-and-shamed on a devoted leak web site hosted on the darkish net.
The place does it get the title Cephalus from?
Cephalus is a personality from Greek mythology who was given a spear by Artemis that “by no means missed its purpose.” Maybe the ransomware group is making an attempt to persuade onlookers that it equally at all times hits its supposed targets.
Thanks for the classics lesson. So which varieties of firms has Cephalus been concentrating on?
Thus far, Cephalus has focused legislation corporations, monetary companies, healthcare organisations, a US architectural observe, a Japanese IT agency, and advertising and marketing companies.
Earlier this month, Cephalus claimed to have leaked over 5GB price of knowledge from New Jersey legislation agency Sherman Silverstein – together with what had been mentioned to be delicate inner information, together with monetary data, credentials, and authorized case information.
Most not too long ago, Cephalus has added Vienna in Fairfax County, Virginia to its sufferer listing – though there was no official affirmation of the assault on the city’s official web site. A listing of Cephalus’s latest claimed victims might be discovered on its leak web site.
Nasty. How does Cephalus break right into a community?
Cephalus compromises methods by leveraging Distant Desktop Protocol (RDP) accounts that haven’t been secured with multi-factor authentication (MFA).
If the malicious hackers have already managed to collect credentials to remotely log in by way of RDP, the dearth of MFA makes it straightforward for the attackers to slide by way of.
And when it is in…?
Based on a report from researchers at safety agency Huntress, Cephalus takes an uncommon strategy to launching its ransomware payload.
Cephalus drops an actual program from safety agency SentinelOne (SentinelBrowserNativeHost.exe) into the focused laptop’s Downloads folder. That program, which safety software program is more likely to assume is respectable and protected, is tricked into sideloading a malicious DLL, that runs one other file known as information.bin that comprises the precise ransomware code.
Why would they do all that?
It is an try by the attackers to evade detection by safety software program.
Sneaky. What else does Cephalus do?
Like many different flavours of ransomware, Cephalus will delete Home windows Shadow Copy information – which an organization would possibly hope to get better their information from. As well as, Cephalus stops and disables Home windows Defender from operating, permitting it to encrypt a sufferer’s information with out resistance.
How will I do know if my computer systems have been hit by Cephalus?
The very first thing you would possibly discover is that Cephalus has locked you out of your information, and adjusted their names to have a “.sss” extension. As well as, a ransom be aware may have been left by the attackers which reads partly:
Pricey admin: We’re Cephalus, 100% monetary motivated. We’re sorry to let you know that your intranet has been compromised by us, and we now have stolen confidential information out of your intranet, together with your confidential shoppers and enterprise contracts ,and so forth.
How can my firm shield itself from ransomware like Cephalus?
Organisations who really feel they could be in danger can be sensible to observe Fortra’s normal recommendation for defending towards ransomware assaults, which incorporates suggestions resembling making certain MFA is enabled on all distant entry factors, disabling unused RDP or VPN entry totally, and use IP allowlists or geofencing the place attainable.
As well as, it is beneficial that each one firms observe greatest practices for defending towards ransomware assaults, which embody suggestions resembling:
- Making safe off-site backups.
- Operating up-to-date safety options and making certain that your computer systems are protected with the newest safety patches towards vulnerabilities.
- Utilizing hard-to-crack distinctive passwords to guard delicate information and accounts, in addition to enabling multi-factor authentication.
- Encrypting delicate information wherever attainable.
- Lowering the assault floor by disabling performance that your organization doesn’t want.
- Educating and informing workers in regards to the dangers and strategies utilized by cybercriminals to launch assaults and steal information.
Editor’s Be aware: The opinions expressed on this and different visitor creator articles are solely these of the contributor and don’t essentially replicate these of Fortra.
