• Home
  • cyber
  • Cephalus: Cephalus Ransomware Emerges as Go-Based Double-Extortion Threat Targeting Exposed RDP
cyber Ransomware

Cephalus: Cephalus Ransomware Emerges as Go-Based Double-Extortion Threat Targeting Exposed RDP

Jun 1, 2025 2 min read
Cephalus: Cephalus Ransomware Emerges as Go-Based Double-Extortion Threat Targeting Exposed RDP

Cephalus Ransomware Emerges as a Go-Based Threat Targeting Windows Networks

A new ransomware strain, Cephalus, written in Go, has been active since at least June 2025, with broader public reporting surfacing in August 2025. The malware targets Windows networks, employing a double-extortion tactic stealing sensitive data before encrypting files to pressure victims into paying ransoms. Attackers often leak small "proof" datasets to demonstrate their access, amplifying operational disruptions.

Initial intrusions have been linked to exposed Remote Desktop Protocol (RDP) services lacking multi-factor authentication (MFA), frequently paired with stolen credentials. Once inside, Cephalus moves rapidly, disabling defenses and crippling recovery options. It uses a hybrid encryption scheme, combining AES-256 in CTR mode for file encryption with RSA-1024 to secure per-victim keys.

Researchers at AttackIQ mapped Cephalus’s deployment patterns into an emulation sequence, drawing from reports by Huntress (August 2025) and AhnLab (December 2025), alongside internal analysis. The malware’s tactics, techniques, and procedures (TTPs) include:

  • Process injection via VirtualAlloc and VirtualProtect.
  • Persistence through scheduled tasks (schtasks).
  • Environment reconnaissance using Windows APIs (GetSystemInfo, GetUserNameW, CreateToolhelp32Snapshot).
  • File system enumeration with FindFirstFileW and FindNextFileW.
  • Defense evasion, notably tampering with Microsoft Defender disabling real-time protection, adding exclusions, and modifying registry keys via PowerShell (Add-MpPreference, Set-MpPreference).

Cephalus’s rapid execution and focus on disabling security controls make it a formidable threat, particularly against organizations with unsecured RDP access or weak credential hygiene. The ransomware’s ability to bypass defenses and disrupt recovery underscores the need for proactive monitoring of high-risk entry points.

Source: https://cybersecuritynews.com/cephalus-ransomware-emerges-as-go-based-double-extortion-threat/

AttackIQ cybersecurity rating report: https://www.rankiteo.com/company/attackiq

"id": "ATT1770818084",
"linkid": "attackiq",
"type": "Ransomware",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'attack_vector': ['Exposed Remote Desktop Protocol (RDP)',
                   'Stolen credentials'],
 'data_breach': {'data_encryption': True,
                 'data_exfiltration': True,
                 'sensitivity_of_data': 'High (used for extortion)',
                 'type_of_data_compromised': 'Sensitive data'},
 'date_detected': '2025-06-01',
 'date_publicly_disclosed': '2025-08-01',
 'description': 'A new ransomware strain, Cephalus, written in Go, has been '
                'active since at least June 2025, targeting Windows networks '
                'with a double-extortion tactic. Attackers steal sensitive '
                'data before encrypting files to pressure victims into paying '
                'ransoms. The malware disables defenses and cripples recovery '
                'options using a hybrid encryption scheme (AES-256 and '
                'RSA-1024). Initial intrusions are linked to exposed RDP '
                'services lacking MFA and stolen credentials.',
 'impact': {'data_compromised': 'Sensitive data stolen and leaked as proof',
            'operational_impact': 'Disruption due to encryption and defense '
                                  'evasion',
            'systems_affected': 'Windows networks'},
 'initial_access_broker': {'entry_point': 'Exposed RDP services'},
 'lessons_learned': 'Organizations with unsecured RDP access or weak '
                    'credential hygiene are at high risk. Proactive monitoring '
                    'of high-risk entry points is critical.',
 'motivation': ['Financial gain', 'Data extortion'],
 'post_incident_analysis': {'corrective_actions': ['Disable or secure RDP '
                                                   'services with MFA',
                                                   'Improve credential '
                                                   'management',
                                                   'Enhance monitoring and '
                                                   'detection capabilities'],
                            'root_causes': ['Exposed RDP services without MFA',
                                            'Stolen credentials',
                                            'Weak security controls']},
 'ransomware': {'data_encryption': True,
                'data_exfiltration': True,
                'ransomware_strain': 'Cephalus'},
 'recommendations': ['Implement multi-factor authentication (MFA) for RDP '
                     'services',
                     'Enhance credential hygiene',
                     'Monitor high-risk entry points',
                     'Deploy proactive security controls to detect and '
                     'mitigate ransomware attacks'],
 'references': [{'source': 'AttackIQ'},
                {'date_accessed': '2025-08-01', 'source': 'Huntress'},
                {'date_accessed': '2025-12-01', 'source': 'AhnLab'}],
 'title': 'Cephalus Ransomware Emerges as a Go-Based Threat Targeting Windows '
          'Networks',
 'type': 'Ransomware',
 'vulnerability_exploited': 'Lack of multi-factor authentication (MFA)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.