Ransomware attack at Motility Software Solutions

Date of Incident:
August 19, 2025

Overview:

In a ransomware attack reported on October 1, 2025, Motility Software Solutions experienced a data breach on August 19, 2025, affecting 766,000 customers. Sensitive information, such as names, addresses, emails, phone numbers, dates of birth, Social Security numbers, and driver’s license numbers, was exposed. The attack involved privilege escalation, exploitation of remote services, and file encryption with RSA-2048. Indicators of compromise included specific file hashes, IP addresses, and domains, with network reconnaissance over SMB and RDP protocols, culminating in command and control activity via peer-to-peer channels.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

Sensitive data of 766,000 customers exposed including full name, portal address, email address, telephone number, date of birth, Social Security number (SSN), and driver’s license number.

Details:

The ransomware attack on Motility Software Solutions involved privilege escalation (MITRE ATT&CK T1068), exploitation of remote services (T1210), and use of ransomware payloads (T1486). Malicious payload exhibited behavior such as file encryption with RSA-2048, network reconnaissance over SMB and RDP protocols, and command and control via decentralized peer-to-peer channels. IOCs include file hash d41d8cd98f00b204e9800998ecf8427e, IP addresses 192.168.1.42, 172.217.3.110, domains malicious-exec.com, registry edits HKCU\Software\MotilityRansom, and ransomware note files named README_DECRYPT.txt. Log artifacts captured event ID 4625 failed logons, event ID 4688 process creations linked to ransomware execution, and Windows Defender AV detections of Trojan:Win32/RansomXYZ.

Remediation:

Apply latest security patches from Motility Software Solutions immediately; disable SMBv1 and restrict RDP access through VPN; implement network segmentation; deploy endpoint detection and response (EDR) solutions; maintain offline backups; apply strong multi-factor authentication; and follow incident response playbook for ransomware containment and recovery.

Takeaway for CISO:

The attack demonstrates critical risks of ransomware to software providers managing sensitive client data, leading to data exposure and operational disruption. CISOs should prioritize zero-trust network architectures, hardened remote access, rigorous third-party assessments, and comprehensive backup strategies to mitigate impact and ensure swift recovery.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial