What’s Cephalus?
Cephalus is a comparatively new ransomware operation that emerged in mid-2025, and has already been linked to a wave of high-profile information leaks.
Like many different ransomware assaults, Cephalus not solely encrypts but additionally steals delicate information – with victims named-and-shamed on a devoted leak web site hosted on the darkish internet.
The place does it get the title Cephalus from?
Cephalus is a personality from Greek mythology who was given a spear by Artemis that “by no means missed its goal.” Maybe the ransomware group is making an attempt to persuade onlookers that it equally all the time hits its meant targets.
Thanks for the classics lesson. So which sorts of corporations has Cephalus been concentrating on?
Up to now, Cephalus has focused legislation companies, monetary providers, healthcare organisations, a US architectural observe, a Japanese IT agency, and advertising businesses.
Earlier this month, Cephalus claimed to have leaked over 5GB value of knowledge from New Jersey legislation agency Sherman Silverstein – together with what have been stated to be delicate inside information, together with monetary information, credentials, and authorized case information.
Most not too long ago, Cephalus has added Vienna in Fairfax County, Virginia to its sufferer checklist – though there was no official affirmation of the assault on the city’s official web site. A listing of Cephalus’s latest claimed victims will be discovered on its leak web site.
Nasty. How does Cephalus break right into a community?
Cephalus compromises techniques by leveraging Distant Desktop Protocol (RDP) accounts that haven’t been secured with multi-factor authentication (MFA).
If the malicious hackers have already managed to assemble credentials to remotely log in by way of RDP, the dearth of MFA makes it simple for the attackers to slide by.
And when it is in…?
In keeping with a report from researchers at safety agency Huntress, Cephalus takes an uncommon method to launching its ransomware payload.
Cephalus drops an actual program from safety agency SentinelOne (SentinelBrowserNativeHost.exe) into the focused laptop’s Downloads folder. That program, which safety software program is prone to assume is authentic and protected, is tricked into sideloading a malicious DLL, that runs one other file referred to as information.bin that incorporates the precise ransomware code.
Why would they do all that?
It is an try by the attackers to evade detection by safety software program.
Sneaky. What else does Cephalus do?
Like many different flavours of ransomware, Cephalus will delete Home windows Shadow Copy information – which an organization may hope to get well their information from. As well as, Cephalus stops and disables Home windows Defender from working, permitting it to encrypt a sufferer’s information with out resistance.
How will I do know if my computer systems have been hit by Cephalus?
The very first thing you may discover is that Cephalus has locked you out of your information, and adjusted their names to have a “.sss” extension. As well as, a ransom word can have been left by the attackers which reads partially:
Pricey admin: We’re Cephalus, 100% monetary motivated. We’re sorry to inform you that your intranet has been compromised by us, and now we have stolen confidential information out of your intranet, together with your confidential purchasers and enterprise contracts ,and so forth.
How can my firm defend itself from ransomware like Cephalus?
Organisations who really feel they could be in danger can be smart to comply with Fortra’s basic recommendation for defending in opposition to ransomware assaults, which incorporates suggestions akin to guaranteeing MFA is enabled on all distant entry factors, disabling unused RDP or VPN entry solely, and use IP allowlists or geofencing the place doable.
As well as, it is really useful that each one corporations comply with greatest practices for defending in opposition to ransomware assaults, which embrace suggestions akin to:
- Making safe off-site backups.
- Operating up-to-date safety options and guaranteeing that your computer systems are protected with the most recent safety patches in opposition to vulnerabilities.
- Utilizing hard-to-crack distinctive passwords to guard delicate information and accounts, in addition to enabling multi-factor authentication.
- Encrypting delicate information wherever doable.
- Decreasing the assault floor by disabling performance that your organization doesn’t want.
- Educating and informing workers concerning the dangers and strategies utilized by cybercriminals to launch assaults and steal information.
Editor’s Word: The opinions expressed on this and different visitor creator articles are solely these of the contributor and don’t essentially replicate these of Fortra.
