Ransomware - Moses Staff

Moses Staff (Active)
Decryptor Available
No
Description

Moses Staff is believed to be an Iranian-backed cyber hacktivist group that primarily targets Israel. However, the threat actors behind this group are also known to have attacked organizations in the United States. Moses Staff also goes by COBALT SAPLING via Secureworks researchers. The threat actors are linked to another mirror group named Abraham's Ax, which has a similar data leak site and behaviors. This group does not deploy ransomware, at least in the traditional sense. They mostly exfiltrate data and leak it, but Check Point researchers reported that they employ DiskCryptor to lock the user out of their system and most often wipe them. They don't demand a ransom, only to expose Israeli organizations and invoke fear.

Ransom note courtesy of Check Point.

Ransomware Type
Data Broker
Locker
MBR Modifier
Wiper
Country of Origin
Iran
First Seen
Threat Actors
Type
Actor
Hacktivist
COBALT SAPLING
Extortion Links
Medium
Link
Clearnet
https://moses-staff.se
Telegram
https://t.me/moses_staff_se2
TOR
http://mosesstaffm7hptp.onion
Extortion Types
Free Data Leaks
Communication
Medium
Identifier
Email
[email protected]
Telegram
https://t.me/moses_staff_support
Twitter | X
https://twitter.com/StaffofMoses1
Twitter | X
https://twitter.com/Moses_Staff_
Twitter | X
https://twitter.com/moses_staff_se
Encryption
Additional Encryption
DiskCryptor
Ransom Note Image
MosesStaff-RansomNote-CheckPoint
Click to enlarge
Samples (SHA-256)
9fc0f2a57aafa9100eefb7019f15b96919eea5ee5d607441ceeaaafd8bcc92a2
Industry Sector Country Extortion Date Amount (USD)
Government Israel
Information Technology Israel
Manufacturing Israel
Manufacturing Israel
Professional Services Israel
Defense Israel
Defense Israel
Transportation Israel
Construction & Architecture Israel
Construction & Architecture Israel
Banking & Finance Israel
Banking & Finance Israel
Legal Israel
Defense Israel
Government Israel
Defense Israel
Oil & Gas Israel
Information Technology Israel
Banking & Finance Israel
BleepingComputer: Moses Staff hackers wreak havoc on Israeli orgs with ransomless encryptions
Check Point: UNCOVERING MOSESSTAFF TECHNIQUES: IDEOLOGY OVER MONEY
Cybereason: StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operatio…
Cyware: Deciphering Moses Staff APT’s Persistent Attacks Against Israeli Organizations
Disk Cryptor: Open source drive encryption solution
HACKREAD: Moses Staff Hackers Publish Footage of Jerusalem Explosion
Microsoft: Iran turning to cyber-enabled influence operations for greater effect
MITRE: Moses Staff
Press TV: Hacker group Moses Staff announces massive attack on Israel, says in possession…
Press TV: Hacktivists attack Israeli CCTVs, military firm, release images
Secureworks: ABRAHAM'S AX LIKELY LINKED TO MOSES STAFF
Secureworks: COBALT SAPLING
SOCRadar: Dark Web Profile: Moses Staff
The Record from Recorded Future News: New Moses Staff group targets Israeli organizations in destructive attacks
Trellix: Trellix Insights: Moses Staff: IR Cyber Activity Targeting Israel
Ransomware Tracker