Hacked RDP credentials facilitate Cephalus ransomware delivery

Newly emergent Cephalus ransomware operation has been leveraging stolen Remote Desktop Protocol credentials to facilitate compromise, GBHackers News reports.

Hacked credentials from RDP accounts without multi-factor authentication were leveraged by Cephalus to infiltrate targeted organizations' networks and launch custom malware tailored to their victims for maximum success, according to an analysis from the AhnLab Security Intelligence Center. Execution of the Go-based Cephalus ransomware not only immediately deactivates Windows Defender, Microsoft SQL Server databases, and Veeam backup software, but also erases Volume Shadow Copy Service backups to make data recovery more challenging.

Cephalus also conceals the lone key it uses for AES-CTR encryption by generating bogus keys during execution, adopting a SecureMemory structure for key storage management, and harnessing Windows API functions for in-memory key locking, as well as including a random value for XOR before storage. Further analysis is needed to establish the Cephalus group's possible connections with other ransomware operations.