Redazione RHC : 8 September 2025 19:15
In mid-August, researchers encountered the Cephalus ransomware in two separate incidents. Among recent outbreaks of families like Crux and KawaLocker, a ransom note beginning with the words “We are Cephalus” attracted attention. In both cases, the attackers gained initial access via RDP using compromised credentials without multi-factor authentication and used the MEGA cloud service to potentially leak data.
The most notable aspect of the attack chain was the ransomware’s launch method. The attackers resorted to DLL replacement using the legitimate SentinelOne component: the SentinelBrowserNativeHost.exe file was launched from the Downloads directory, fetching the SentinelAgentCore.dll library, which in turn loaded the data.bin file containing the ransomware code.
On one of the hosts, the attempt was blocked by Microsoft Defender, while on the other encryption was initiated. No command line parameters were detected during startup, which indirectly indicates the absence of a “network” deployment among available shares.
It is important to note that both affected organizations were indeed using SentinelOne products. At the same time, the fact that SentinelBrowserNativeHost.exeended up in the Downloads folder appears unusual: Telemetry showed millions of legitimate launches of this executable file on customer infrastructures per day, but not from the users’ Downloads folder, making this location a good indicator of suspicious activity. Modern SIEM systems are capable of detecting such anomalies: for example, the DLL_Side_Loading rule in MaxPatrol SIEM detects the replacement of the library creation in the folder with the binary file and its subsequent loading into the process.
Before encryption, Cephalus searches to deprive the system of any recovery option and blind the defenses. The deletion of volume shadow copies and a sequence of PowerShell commands and registry changes were observed aimed at disabling Windows Defender components, adding exclusions, and stopping related services. These actions preceded the creation of the note and the encryption process itself, which corresponds to the typical tactics of modern groups.
Another detail is the notes with requests. In the cases detected, the text began with a direct introduction (“We are Cephalus”), contained statements about the theft of “confidential data,” and instructions on how to contact them. Unlike variants previously published on social media, the note was addressed to the victim organization’s domain and included links to two “newspaper articles” about previous Cephalus attacks, presumably to increase pressure and give the appearance of “notoriety.” In some cases, the victim was asked to follow the GoFile link and, using a password, review a sample of the supposedly stolen files.
In both incidents, MEGAsync was not only an endpoint for the exchange, but also in the host process line: MEGAcmdUpdater.exe was launched, and in one incident, even via the Task Scheduler. This fits the double extortion model, in which encryption is complemented by preliminary exfiltration.
The set of technical characteristics already forms a recognizable profile. The observations included the “.sss” extension for encrypted files and the “recover.txt” notes file. The artifacts include the path C:Users[user]Downloads as the operator’s working directory, the workstation name Desktop-uabs01, and the checksums of the chain components: SHA-256 for SentinelBrowserNativeHost.exe – 0d9dfc113712054d8595b50975efd9c68f4cb8960eca010076b46d2fba3d2754 and for SentinelAgentCore.dll – 82f5fb086d15a8079c79275c2d4a6152934e2dd61cc6a4976b492f74062773a7.
Cephalus fits into the familiar ransomware landscape, but combines old entry points with a non-trivial launch technique via a legitimate executable. The practical implications for defenders remain significant: close RDP without MFA, monitor for anomalous launches of SentinelBrowserNativeHost.exe, especially from user directories, limit or control the use of MEGA and similar tools, and monitor any attempts to interfere with Windows Defender settings and services. The greater visibility into the actions before encryption, the greater the chance of stopping the attack before “notes” and downtime appear.
Redazione