What’s Cephalus?
Cephalus is a comparatively new ransomware operation that emerged in mid-2025, and has already been linked to a wave of high-profile information leaks.
Like many different ransomware assaults, Cephalus not solely encrypts but in addition steals delicate information – with victims named-and-shamed on a devoted leak website hosted on the darkish net.
The place does it get the identify Cephalus from?
Cephalus is a personality from Greek mythology who was given a spear by Artemis that “by no means missed its goal.” Maybe the ransomware group is making an attempt to persuade onlookers that it equally all the time hits its supposed targets.
Thanks for the classics lesson. So which forms of corporations has Cephalus been concentrating on?
Thus far, Cephalus has focused legislation corporations, monetary providers, healthcare organisations, a US architectural observe, a Japanese IT agency, and advertising and marketing businesses.
Earlier this month, Cephalus claimed to have leaked over 5GB value of knowledge from New Jersey legislation agency Sherman Silverstein – together with what have been mentioned to be delicate inside information, together with monetary information, credentials, and authorized case information.
Most just lately, Cephalus has added Vienna in Fairfax County, Virginia to its sufferer listing – though there was no official affirmation of the assault on the city’s official web site. An inventory of Cephalus’s latest claimed victims will be discovered on its leak website.
Nasty. How does Cephalus break right into a community?
Cephalus compromises techniques by leveraging Distant Desktop Protocol (RDP) accounts that haven’t been secured with multi-factor authentication (MFA).
If the malicious hackers have already managed to collect credentials to remotely log in through RDP, the dearth of MFA makes it straightforward for the attackers to slide by means of.
And when it is in…?
In response to a report from researchers at safety agency Huntress, Cephalus takes an uncommon method to launching its ransomware payload.
Cephalus drops an actual program from safety agency SentinelOne (SentinelBrowserNativeHost.exe) into the focused laptop’s Downloads folder. That program, which safety software program is prone to assume is legit and secure, is tricked into sideloading a malicious DLL, that runs one other file known as information.bin that comprises the precise ransomware code.
Why would they do all that?
It is an try by the attackers to evade detection by safety software program.
Sneaky. What else does Cephalus do?
Like many different flavours of ransomware, Cephalus will delete Home windows Shadow Copy information – which an organization would possibly hope to get better their information from. As well as, Cephalus stops and disables Home windows Defender from working, permitting it to encrypt a sufferer’s information with out resistance.
How will I do know if my computer systems have been hit by Cephalus?
The very first thing you would possibly discover is that Cephalus has locked you out of your information, and altered their names to have a “.sss” extension. As well as, a ransom observe could have been left by the attackers which reads partially:
Pricey admin: We’re Cephalus, 100% monetary motivated. We’re sorry to let you know that your intranet has been compromised by us, and we have now stolen confidential information out of your intranet, together with your confidential purchasers and enterprise contracts ,and many others.
How can my firm shield itself from ransomware like Cephalus?
Organisations who really feel they might be in danger can be sensible to comply with Fortra’s normal recommendation for defending towards ransomware assaults, which incorporates suggestions akin to guaranteeing MFA is enabled on all distant entry factors, disabling unused RDP or VPN entry fully, and use IP allowlists or geofencing the place doable.
As well as, it is advisable that every one corporations comply with greatest practices for defending towards ransomware assaults, which embody suggestions akin to:
- Making safe off-site backups.
- Operating up-to-date safety options and guaranteeing that your computer systems are protected with the most recent safety patches towards vulnerabilities.
- Utilizing hard-to-crack distinctive passwords to guard delicate information and accounts, in addition to enabling multi-factor authentication.
- Encrypting delicate information wherever doable.
- Lowering the assault floor by disabling performance that your organization doesn’t want.
- Educating and informing workers in regards to the dangers and strategies utilized by cybercriminals to launch assaults and steal information.
Editor’s Word: The opinions expressed on this and different visitor writer articles are solely these of the contributor and don’t essentially mirror these of Fortra.
