RansomHouse claims the Trellix breach and posts screenshots showing it reached internal VMware, Rubrik, and Dell EMC dashboards - far more than the 'small portion of source code' Trellix originally disclosed

Update on the Trellix breach we covered May 2: RansomHouse claimed the attack on its leak site Thursday and published screenshots that suggest the intrusion reached well beyond the source code repository Trellix originally acknowledged. Cybernews researchers reviewed the dumped images and identified internal dashboards for VMware vCenter, Rubrik backup, and Dell EMC storage - the systems that hold backups, credentials, and virtual machine images for the entire company. RansomHouse says the intrusion happened April 17 and resulted in data encryption. Trellix told BleepingComputer it's 'aware of claims of responsibility' and looking into them. RansomHouse currently lists 170+ victims on its Tor leak site.

Check

If your organization runs Trellix endpoint, IPS, ePolicy Orchestrator, or email security, audit checksums of every Trellix update installed since April 17. Hunt for unusual outbound traffic from Trellix product hosts.

Affected

Trellix customers - 53,000+ enterprises and government agencies in 185 countries protecting 200M+ endpoints. Acute risk: organizations relying on Trellix for backup integrity (Rubrik exposed) or VMware management (vCenter exposed). Defense and federal customers face higher residual risk pending Trellix's full incident report.

Fix

Hold non-emergency Trellix product updates until Trellix releases a written incident report with concrete scope. Verify checksums for every Trellix agent updated since April 17 against Trellix's published values. Treat any Trellix-issued credentials, API tokens, or signing certificates from before April 17 as potentially compromised and request rotation. Demand a written incident report within 30 days.