An Unerring Spear: Cephalus Ransomware Analysis

MITRE Techniques

• [T1078] Valid Accounts – Used by compromising RDP accounts without MFA to gain initial access (“breaching organizations is by stealing credentials through Remote Desktop Protocol (RDP) accounts that do not have multi-factor authentication (MFA) enabled”).
• [T1005] Data from Local System – Exfiltration and theft of victim data prior to encryption (“breaches them, exfiltrates their data, and then encrypts it”).
• [T1486] Data Encrypted for Impact – Encrypts files using AES-CTR with a single key to deny access (“uses a single AES-CTR key for encryption… if an attacker can obtain the AES-CTR key, they can decrypt all encrypted files”).
• [T1490] Inhibit System Recovery – Deletes VSS backups and stops backup services like Veeam and MSSQL to prevent recovery (“deletes VSS backups, and stops key services such as Veeam and MSSQL to increase its encryption success rate and decrease the chances of recovery”).
• [T1112] Modify Registry (privilege/defense evasion) / [T1562.001] Impair Defenses:Disable or Modify Tools – Disables Windows Defender real-time protection to evade detection (“upon execution, it disables Windows Defender’s real-time protection”).
• [T1496] Resource Hijacking / Anti-Analysis Techniques – Employs fake AES key generation and repeated memory accesses to confuse dynamic analysis (“generates a 1,024-byte random buffer… overwrites this buffer with a 32-byte string that reads ‘FAKE_AES_KEY_FOR_CONFUSION_ONLY!’—a process that is repeated 100 times”).
• [T1140] Deobfuscate/Decode Files or Information – Uses XOR masking and SecureMemory methods to hide the AES key in memory and reduce exposure (“SetData()/GetData() methods… generates a random XOR key and performs an XOR operation once before storing it”).
• [T1552] Unsecured Credentials – Exploits lack of MFA on RDP accounts as an access vector (“RDP accounts that do not have multi-factor authentication (MFA) enabled”).