What’s Cephalus?
Cephalus is a comparatively new ransomware operation that emerged in mid-2025, and has already been linked to a wave of high-profile knowledge leaks.
Like many different ransomware assaults, Cephalus not solely encrypts but in addition steals delicate knowledge – with victims named-and-shamed on a devoted leak web site hosted on the darkish internet.
The place does it get the identify Cephalus from?
Cephalus is a personality from Greek mythology who was given a spear by Artemis that “by no means missed its goal.” Maybe the ransomware group is attempting to persuade onlookers that it equally all the time hits its meant targets.
Thanks for the classics lesson. So which forms of corporations has Cephalus been focusing on?
To date, Cephalus has focused regulation corporations, monetary companies, healthcare organisations, a US architectural follow, a Japanese IT agency, and advertising and marketing businesses.
Earlier this month, Cephalus claimed to have leaked over 5GB value of information from New Jersey regulation agency Sherman Silverstein – together with what had been stated to be delicate inner information, together with monetary information, credentials, and authorized case information.
Most not too long ago, Cephalus has added Vienna in Fairfax County, Virginia to its sufferer checklist – though there was no official affirmation of the assault on the city’s official web site. An inventory of Cephalus’s current claimed victims might be discovered on its leak web site.
Nasty. How does Cephalus break right into a community?
Cephalus compromises programs by leveraging Distant Desktop Protocol (RDP) accounts that haven’t been secured with multi-factor authentication (MFA).
If the malicious hackers have already managed to assemble credentials to remotely log in by way of RDP, the shortage of MFA makes it simple for the attackers to slide via.
And when it is in…?
In response to a report from researchers at safety agency Huntress, Cephalus takes an uncommon strategy to launching its ransomware payload.
Cephalus drops an actual program from safety agency SentinelOne (SentinelBrowserNativeHost.exe) into the focused laptop’s Downloads folder. That program, which safety software program is prone to assume is professional and secure, is tricked into sideloading a malicious DLL, that runs one other file referred to as knowledge.bin that accommodates the precise ransomware code.
Why would they do all that?
It is an try by the attackers to evade detection by safety software program.
Sneaky. What else does Cephalus do?
Like many different flavours of ransomware, Cephalus will delete Home windows Shadow Copy information – which an organization may hope to recuperate their knowledge from. As well as, Cephalus stops and disables Home windows Defender from working, permitting it to encrypt a sufferer’s information with out resistance.
How will I do know if my computer systems have been hit by Cephalus?
The very first thing you may discover is that Cephalus has locked you out of your information, and adjusted their names to have a “.sss” extension. As well as, a ransom observe may have been left by the attackers which reads partly:
Expensive admin: We’re Cephalus, 100% monetary motivated. We’re sorry to let you know that your intranet has been compromised by us, and now we have stolen confidential knowledge out of your intranet, together with your confidential purchasers and enterprise contracts ,and many others.
How can my firm shield itself from ransomware like Cephalus?
Organisations who really feel they could be in danger can be clever to observe Fortra’s normal recommendation for defending towards ransomware assaults, which incorporates suggestions resembling guaranteeing MFA is enabled on all distant entry factors, disabling unused RDP or VPN entry totally, and use IP allowlists or geofencing the place attainable.
As well as, it is beneficial that every one corporations observe greatest practices for defending towards ransomware assaults, which embody suggestions resembling:
- Making safe off-site backups.
- Operating up-to-date safety options and guaranteeing that your computer systems are protected with the most recent safety patches towards vulnerabilities.
- Utilizing hard-to-crack distinctive passwords to guard delicate knowledge and accounts, in addition to enabling multi-factor authentication.
- Encrypting delicate knowledge wherever attainable.
- Lowering the assault floor by disabling performance that your organization doesn’t want.
- Educating and informing employees in regards to the dangers and strategies utilized by cybercriminals to launch assaults and steal knowledge.
Editor’s Be aware: The opinions expressed on this and different visitor writer articles are solely these of the contributor and don’t essentially mirror these of Fortra.
