Apono is now part of 1Password, expanding secure access governance for the AI era

Read More
Login Book a demo

Cephalus Weaponizes Stolen RDP Credentials to Deploy Ransomware

Gabriel Avner

November 11, 2025

Cephalus Weaponizes Stolen RDP Credentials to Deploy Ransomware post thumbnail

New research out of AhnLab documents the Cephalus ransomware group has been aggressively exploiting stolen Remote Desktop Protocol (RDP) credentials to break into networks and execute rapid, destructive encryption campaigns. 

The pattern is straightforward and brutal: credentials get you in, and once inside the attackers move fast to blind and break recovery. 

How the Breach Works

According to the reporting in cybersecuritynews.com, the Cephalus crew is using tried and true tactics: 

  • Credential-focused entry — Cephalus targets systems with exposed or weakly protected RDP and uses stolen or reused credentials to log in. They are having significant success where MFA is not enforced.
  • Low-noise access, high impact — Because RDP sessions with these legit creds look like normal user connections, attackers can operate with less immediate suspicion than with noisy exploit chains.

Post-Breach Activities

  • Recon & data grab — The operators move laterally, steal sensitive files, and stage exfiltration.
  • Disable defenses and backups — The malware disables Windows Defender real-time protection, removes Volume Shadow Copies, and terminates backup/database services (notably Veeam and Microsoft SQL Server) to prevent recovery and speed encryption.
  • Encrypt and extort — With defenses hamstrung and backups sabotaged, the group deploys ransomware across the estate and aggressively pursues extortion.

The Risk from Credential Compromise 

Standing credentials that can log in to RDP are an attacker’s fast track: they bypass perimeter controls, enable hands-on-keyboard operations, and let operators neutralize defenses from the inside. 

When credentials are reusable and access is always-on, an attacker’s path from access to impact is gut-wrenchingly short.

So how can organizations protect themselves in these cases?

Operational First Steps for Quick Security Wins

  • Close direct RDP exposure — Don’t expose RDP to the Internet. Put it behind VPN, RD Gateway, or a zero-trust access broker.
  • Require MFA Enforce multi-factor authentication so stolen passwords alone can’t grant access.
  • Adopt Just-in-Time access — Provide elevated access privileges only when needed and revoke them automatically.
  • Harden backups & service privileges — Limit who can stop backup services, restrict backup admin rights, and test restores frequently.
  • Monitor for telltale signals — Alert on new RDP logins from unusual geographies, Defender disablement, VSS deletions, and mass service terminations.
  • Use dedicated admin accounts Separate admin identities from day-to-day accounts and use them only for elevated tasks.

How Apono Secures RDP

Apono enables security teams to implement Zero Standing Privileges across their cloud and hybrid environments, including RDP access to machines hosted on AWS, Azure, GCP, and on-prem.

Here are just a few of the ways that Apono empowers teams to reduce their access risk while streamlining unimpeded access for engineers. 

Eliminate standing access — Stop attackers from abusing always-on privileged access by shifting to Just-in-Time (JIT) access elevation for both humans and machines.

Reduce blast radius — Continuously rightsize privileges with data-driven recommendations so stolen credentials have far less ability to damage systems or stop recoveries.

Quarantine risky privileges without breaking things — Apply reversible deny policies to neutralize dangerous standing access immediately, preserving uptime while removing attacker pathways.

Centralize governance and detection — Tie JIT workflows, session brokering, and alerting into a single policy surface so you can block credential-driven attacks faster and recover more confidently.

Enforce MFA for sensitive access flows — Apono can require authenticator-app verification for JIT requests and logs MFA events to the audit trail so elevated sessions are tied to confirmed second-factor approval. 

Ready to Take a Smarter Approach to Cloud Access?

Credential-based ransomware like Cephalus is predictable: it exploits access we already grant. 

Eliminating standing privileges and making elevated access temporary removes the easiest path attackers use. If you want to quickly identify where those risks still exist, start with our Zero Standing Privileges (ZSP) Checklist and benchmark your current exposure.

To see how detection, automated remediation, and JIT enforcement work together in real time, visit our Access Threat Detection & Response page

back icon

Back

Related Posts

Mastering Roles in MySQL: Your Ultimate Guide post thumbnail

Mastering Roles in MySQL: Your Ultimate Guide

Intro to Roles in MySQL Diving into the world of roles in MySQL can se...

Ofir Stein

January 17, 2024

The Agentic Identity Crisis: Why Your AI Agents Are Your Biggest Identity Blind Spot in 2026 post thumbnail

The Agentic Identity Crisis: Why Your AI Agents Are Your Biggest Identity Blind Spot in 2026

An intern gets admin access to production for a temporary task, but no...

The Apono Team

April 7, 2026

What we can learn from the LastPass hack post thumbnail

What we can learn from the LastPass hack

LastPass, a password manager with over 33M users reported an unauthori...

Ofir Stein

September 20, 2022