Remove Cephalus ransomware

Cephalus ransomware is file-encrypting malware that primarily targets specific companies/people rather than regular home users. If it manages to get into the system, the ransomware encrypts all important files, as well as steals them, so the malicious actors can threaten to publicly release them if a ransom is not paid. The ransomware can be identified by the .sss extension added to all encrypted files. Unfortunately, once files have been encrypted, they will not be openable until they’ve been decrypted. However, getting a decryptor is not easy and will likely be very expensive. And even paying does not guarantee files will be decrypted.

 

 

The operators of this ransomware introduce themselves as Cephalus, a financially motivated group. They target large targets instead of home users, so they can demand significant sums of money in ransom. Unfortunately, the primary targets are files that companies would not want to lose, as well as information they do not want leaked. The ransomware first steals all target files and then encrypts them. Affected files can be identified by the .sss extension. Files that have this extension will not be openable unless they are first put through a decryptor.

Once the ransomware has stolen and encrypted the target files, it drops a recover.txt ransom note. The note explains that the victim’s intranet has been compromised and that information has been stolen. The note explains that to get the files back, it’s necessary to buy a decryptor. Failure to pay the ransom will result in files being publicly posted. The note does not mention how much the decryptor costs, though it’s likely to be a significant amount of money, considering the targets are businesses.

Below is the full Cephalus ransomware ransom note:

Dear admin:
We’re Cephalus, 100% financial motivated. We’re sorry to tell you that your intranet has been compromised by us, and we have stolen confidential data from your intranet, including your confidential clients and business contracts ,etc.
You have to contact us immediately after you seen this , we have to reach an agreement as soon as possible.
After that your data will be uploaded, your competitors, partners, clients, authorities, lawyer and tax agenesis would be able to access it. We will start mailing and calling your clients.
If you want the proof , contact us , we don’t want to embarass anyone for knowing their privacy and company status , it’s safer to get the proof through the chat.

As for our demand , we require bitcoin which is kind of cryptocurrency , we’re sure you can handle this , the details we’ll discuss through the contact below
Our business depends on the reputation even more than many others. If we will take money and spread your information – we will have issues with payments in future. So, we will stick to our promises and reputation.
That works in both ways: if we said that we will email all your staff and publicly spread all your data – we will.

Here are a few ways to get in touch with me.

1. Tox:91C24CC1586713CA606047297516AF534FE57EFA8C3EA2031B7DF8D116AC751B156869CB8838
Link to download Tox: hxxps://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe

2. Email:sadklajsdioqw@proton.me

Don’t do any silly things, don’t treat it lightly too. We got proofs that your data was kept with a number of data security violations of data breach laws. The penalty payments would be huge if we will anonymously sent our briefs and notes about your network structure to the regulators.
Embrace it and pay us. After that your data will be erased from our systems, with proof’s provided to you. Also you might request your network improvement report.
Based on your position in the company call your management to speak. DO NOT try to speak speak instead of your superiors, based on our experience, that may lead to disaster.

Your ID: –

Now you should contact us.

Generally, paying the ransom or even engaging with malicious actors is never recommended because it does not guarantee file recovery or that the stolen files will not be posted publicly. It should always be kept in mind that ransomware operators are cybercriminals and will, thus, behave as such.

Ransomware distribution methods

Cephalus ransomware spreads through the same methods commonly associated with other ransomware and malware. Systems are often infected when users open malicious email attachments, download compromised files, click on dangerous links, and more. Users with poor browsing habits are especially vulnerable to malware infections. Developing better habits and knowing about malware distribution methods is very important, particularly for users employed at companies that may be targeted.

One prevalent method of ransomware distribution is via email attachments. If an email address has been exposed through a breach or is publicly available, there is a strong chance a malicious email will land in the inbox. Fortunately, many of these emails are generic and relatively easy to identify. They frequently contain numerous spelling and grammatical errors, which stand out particularly when cybercriminals impersonate legitimate companies. For example, a malicious email might pose as a parcel delivery notification or an order confirmation, but will have obvious mistakes. This is a clear warning sign, as legitimate emails are typically professional and never have mistakes. However, it should be noted that when targets are very specific, malicious emails may be very sophisticated and difficult to recognize. Company employees must be trained to identify sophisticated email attacks. As a precaution, all email attachments, whether unsolicited or expected, should be scanned with an anti-malware program to ensure they are safe to open.

How to remove Cephalus ransomware

Cephalus ransomware is a highly sophisticated malware infection that should only be handled by a security expert to ensure it’s properly removed. Incorrect removal could result in more issues for the system. Only when the ransomware is fully removed is it safe to connect to backups to start file recovery.