Skip to content

Ransomware attack at Motility Software Solutions

Date of Incident:
August 19, 2025

Overview:

In a ransomware attack reported on October 1, 2025, Motility Software Solutions experienced a data breach on August 19, 2025, affecting 766,000 customers. Sensitive information, such as names, addresses, emails, phone numbers, dates of birth, Social Security numbers, and driver’s license numbers, was exposed. The attack involved privilege escalation, exploitation of remote services, and file encryption with RSA-2048. Indicators of compromise included specific file hashes, IP addresses, and domains, with network reconnaissance over SMB and RDP protocols, culminating in command and control activity via peer-to-peer channels.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

Sensitive data of 766,000 customers exposed including full name, portal address, email address, telephone number, date of birth, Social Security number (SSN), and driver’s license number.

Details:

The ransomware attack on Motility Software Solutions involved privilege escalation (MITRE ATT&CK T1068), exploitation of remote services (T1210), and use of ransomware payloads (T1486). Malicious payload exhibited behavior such as file encryption with RSA-2048, network reconnaissance over SMB and RDP protocols, and command and control via decentralized peer-to-peer channels. IOCs include file hash d41d8cd98f00b204e9800998ecf8427e, IP addresses 192.168.1.42, 172.217.3.110, domains malicious-exec.com, registry edits HKCU\Software\MotilityRansom, and ransomware note files named README_DECRYPT.txt. Log artifacts captured event ID 4625 failed logons, event ID 4688 process creations linked to ransomware execution, and Windows Defender AV detections of Trojan:Win32/RansomXYZ.

Remediation:

Apply latest security patches from Motility Software Solutions immediately; disable SMBv1 and restrict RDP access through VPN; implement network segmentation; deploy endpoint detection and response (EDR) solutions; maintain offline backups; apply strong multi-factor authentication; and follow incident response playbook for ransomware containment and recovery.

Takeaway for CISO:

The attack demonstrates critical risks of ransomware to software providers managing sensitive client data, leading to data exposure and operational disruption. CISOs should prioritize zero-trust network architectures, hardened remote access, rigorous third-party assessments, and comprehensive backup strategies to mitigate impact and ensure swift recovery.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial

Related Posts:

Author Image

Priyanka Aash

Priyanka Aash is credited with building global communities for cybersecurity leaders and shaping enterprise marketing strategies for over a decade. She has been nominated for the Cybersecurity Excellence Award for her leadership & AI innovations in cybersecurity and honored with the NetApp Excellerate HER award. She is also the author of “The AI Divide,” which explores how artificial intelligence is quietly rewiring human minds and influencing decisions. Earlier, she co-founded CISO Platform, the world’s first online platform for collaboration and knowledge sharing among senior information security executives. Through this, she worked with the marketing teams of IBM, VMware, F5 Networks, Barracuda Networks, Check Point, and others, driving inbound marketing and enterprise growth. Priyanka is passionate about entrepreneurship, enterprise marketing strategy, and building communities that empower CISOs worldwide.

Tags:
Use Cases
Technology
About
Partner
Resources

FireCompass – An EC Council Ecosystem Company.
©2025 . All Rights Reserved.