Moses Staff is believed to be an Iranian-backed cyber hacktivist group that primarily targets Israel. However, the threat actors behind this group are also known to have attacked organizations in the United States. Moses Staff also goes by COBALT SAPLING via Secureworks researchers. The threat actors are linked to another mirror group named Abraham's Ax, which has a similar data leak site and behaviors. This group does not deploy ransomware, at least in the traditional sense. They mostly exfiltrate data and leak it, but Check Point researchers reported that they employ DiskCryptor to lock the user out of their system and most often wipe them. They don't demand a ransom, only to expose Israeli organizations and invoke fear.
Ransom note courtesy of Check Point.
Known Victims(19)
| Industry Sector | Land | Extortion Date | Amount (USD) |
|---|---|---|---|
| Government | Israel | ||
| Information Technology | Israel | ||
| Manufacturing | Israel | ||
| Manufacturing | Israel | ||
| Professional Services | Israel | ||
| Defense | Israel | ||
| Defense | Israel | ||
| Transportation | Israel | ||
| Construction & Architecture | Israel | ||
| Construction & Architecture | Israel | ||
| Banking & Finance | Israel | ||
| Banking & Finance | Israel | ||
| Legal | Israel | ||
| Defense | Israel | ||
| Government | Israel | ||
| Defense | Israel | ||
| Oil & Gas | Israel | ||
| Information Technology | Israel | ||
| Banking & Finance | Israel |