Cephalus ransomware: What you need to know

Where does it get the name Cephalus from?

Cephalus is a character from Greek mythology who was given a spear by Artemis that “never missed its aim.” Perhaps the ransomware group is trying to convince onlookers that it similarly always hits its intended targets.

Thanks for the classics lesson. So which types of companies has Cephalus been targeting?

So far, Cephalus has targeted law firms, financial services, healthcare organisations, a US architectural practice, a Japanese IT firm, and marketing agencies. 

Earlier this month, Cephalus claimed to have leaked over 5GB worth of data from New Jersey law firm Sherman Silverstein – including what were said to be sensitive internal files, including financial records, credentials, and legal case files. 

Most recently, Cephalus has added Vienna in Fairfax County, Virginia to its victim list – although there has been no official confirmation of the attack on the town’s official website. A list of Cephalus’s recent claimed victims can be found on its leak site.

And when it’s in…?

According to a report from researchers at security firm Huntress, Cephalus takes an unusual approach to launching its ransomware payload. 

Cephalus drops a real program from security firm SentinelOne (SentinelBrowserNativeHost.exe) into the targeted computer’s Downloads folder. That program, which security software is likely to assume is legitimate and safe, is tricked into sideloading a malicious DLL, that runs another file called data.bin that contains the actual ransomware code.