Cephalus

Cephalus is a ransomware and extortion group first observed in mid-June 2025. The group explicitly states that it is “100%” financially motivated. Reported operations are targeted and customized against specific organizations and involve initial compromise, data exfiltration, and encryption, consistent with double-extortion activity. Cephalus has been observed targeting the healthcare sector; reporting states that emerging groups including Cephalus contributed to a 31% increase in attacks on healthcare organizations in Q3 2025. One reported victim listing involved Colorado Health Network, which Cephalus added to its dark web leak site in August 2025 and claimed to have stolen 900 GB of data from, although the referenced reporting states the group disappeared from public view days later and did not publish that data on any server cited in the report. The group’s reported initial access method is theft of credentials for Remote Desktop Protocol (RDP) accounts that do not have multi-factor authentication enabled. Ransom notes attributed to Cephalus claim compromise of the victim intranet and theft of confidential data, including client information and business contracts, and threaten publication of the data, direct contact with clients, and reporting of alleged data-protection violations to regulators unless payment is made in Bitcoin. The notes reportedly offer proof of theft, including via a GoFile repository link, and instruct victims to contact the actors via Tox or Proton Mail. The ransom note is reported as "recover.txt" and is created in directories where encryption has completed. Cephalus ransomware is described as written in Go. Reported behaviors include disabling Windows Defender real-time protection, deleting Volume Shadow Copy Service backups, and stopping services including Veeam and MSSQL to hinder recovery and improve encryption impact. File encryption reportedly uses a single AES-CTR key for all files, with the key derived by repeated SHA-256 hashing of a random 32-byte value and then encrypted with an embedded RSA public key. The malware also reportedly uses anti-analysis and key-protection measures, including repeatedly planting the fake string "FAKE_AES_KEY_FOR_CONFUSION_ONLY!", using VirtualLock to reduce paging of key material, and XOR-masking the AES key in memory. Based on the provided content, it is currently not known whether Cephalus operates as a ransomware-as-a-service program, has alliances with other ransomware groups, has rebranded from another operation, or has known sub-groups. Known alias in the provided content: cephalus.