One of 2024’s most rapidly-rising Ransomware threat actors has released the details of at least 8 victims as of the time of this writing (29 December, 2024).
This post is just a quick alert I’m squeezing in between nights of awesomeness at this year’s Chaos Communication Congress.
I first wrote about Arcus Media here, back in June.
Arcus Media is a Ransomware group that came about in May 2024, not long after the law enforcement crackdown on LockBit 3.0. Like LockBit, they operate under a Ransomware-as-a-Service (RaaS) model. This structure allows various threat actors to utilize their Ransomware, with Arcus Media providing the necessary infrastructure and taking a portion of the proceeds.
Unlike some other RaaS operations, Arcus Media‘s affiliate program requires special referrals and vetting, aiming to prevent infiltration by law enforcement or other adversaries (likely to avoid LockBit’s fate).
This current round of victims includes 2 from Brazil, 1 from Ukraine, 1 from Belgium, 1 from Spain, 1 from India, 1 from Tanzania, and 1 from Pakistan.
More than one is an entity within a critical infrastructure sector. As of right now, there’s no evidence that any of the claims are fault (always a concern with Ransomware actors).
In an update from my June article, it seems that some of Arcus’s rules of engagement have changed, and that there could very well be more than these eight victims. The unforuntate reality of these things is that there’s some incentive for targeted entities to pay their ransoms and sweep it under the rug.
Victims of Ransomware should be aware that if they feel they can’t turn to law enforcement, there are options besides paying the ransom. Sites like No More Ransom and others might have a decryption tool for impacted systems. Always check in with the BleepingComputer and Malwarebytes communities, as well.