Ransomware - Moses Staff

Moses Staff
Decryptor Available
No
Description

Moses Staff is believed to be an Iranian-backed cyber hacktivist group that primarily targets Israel. However, the threat actors behind this group are also known to have attacked organizations in the United States. Moses Staff also goes by COBALT SAPLING via Secureworks researchers. The threat actors are linked to another mirror group named Abraham's Ax, which has a similar data leak site and behaviors. This group does not deploy ransomware, at least in the traditional sense. They mostly exfiltrate data and leak it, but Check Point researchers reported that they employ DiskCryptor to lock the user out of their system and most often wipe them. They don't demand a ransom, only to expose Israeli organizations and invoke fear.

Ransom note courtesy of Check Point.

Ransomware Type
Data Broker
Locker
MBR Modifier
Wiper
Country of Origin
Iran
First Seen
Threat Actors
Type
Actor
Hacktivist
COBALT SAPLING
Extortion Types
Free Data Leaks
Communication
Medium
Identifier
Telegram
Twitter | X
Twitter | X
Twitter | X
Encryption
Additional Encryption
DiskCryptor
Ransom Note Image
Samples (SHA-256)
9fc0f2a57aafa9100eefb7019f15b96919eea5ee5d607441ceeaaafd8bcc92a2
Industry Sector Country Extortion Date Amount (USD)
GovernmentIsrael
Information TechnologyIsrael
ManufacturingIsrael
ManufacturingIsrael
Professional ServicesIsrael
DefenseIsrael
DefenseIsrael
TransportationIsrael
Construction & ArchitectureIsrael
Construction & ArchitectureIsrael
Banking & FinanceIsrael
Banking & FinanceIsrael
LegalIsrael
DefenseIsrael
GovernmentIsrael
DefenseIsrael
Oil & GasIsrael
Information TechnologyIsrael
Banking & FinanceIsrael