2024 could be the year that sees the end of LockBit, but there’s still no sign of the explosion in ransomware incidents slowing down. Just in the past few hours, US telecom provider, Frontier, and several major London hospitals are reporting ransomware incidents.
While LockBitSup gets sanctioned and BlackBasta scrambles to evolve past successful decryption efforts, a host of new ransomware threat actors have stepped up to the plate.
Enter: ARCUS MEDIA
First identified in May, the group has been responsible for at least 17 incidents as of this evening, largely focused on South America (which may indicate something about their origins). The group has targeted a wide range of sectors, including government, banking and finance, construction, architecture, music, entertainment, IT, manufacturing, professional services, healthcare, and education.
Of their seventeen attacks, six were carried out yesterday:
| Target | Sector | Country |
| Immediate Transportation | Transportation | UK |
| Botselo | Finance | S. Africa |
| BHMAC | Mining/Metals | Bosnia and Herzegovina |
| Duque Saldarriaga | Marketing | Colombia |
| Franja IT Integradores de Tecnología | IT Services | Colombia |
| Langescheid GbR | Transportation | Germany |
They operate as a ransomware-as-a-service model. In short, this means that technically any threat actor can use their malware, and ARCUS will just take a cut while providing the infrastructure.
This is similar to how larger players such as DarkSide, REvil, and–of course–LockBit, operate. Though ARCUS rolls with a different take on their affiliate program. Apparently, in some attempt to avoid infiltration ala Operation Cronos, you have to be referred by another trusted affiliate and vetted in order to participate.
Tactics, Techniques, and Procedures
As a new ransomware group, ARCUS MEDIA has quickly established itself with a distinct set of tactics, techniques, and procedures (TTPs). It’s also notable that their malware seems to be completely unique to them, and not obviously re-purposed or re-branded from some earlier tools.
Besides the aforementioned RaaS approach, ARCUS MEDIA conducts direct extortion and double extortion methods, where they threaten to leak data if the ransom is not paid. Based on information gathered from MITRE, WatchGuard, and other threat sharing platforms, they’ve developed some unique TTPs:
- Initial Access:
- Phishing: AM uses phishing emails to gain initial access to victim networks. These emails often contain malicious attachments or links that, when opened, deploy initial access malware.
- Execution:
- Malicious Scripts: After gaining access, AM deploys scripts to execute their ransomware payload. These scripts are often obfuscated to evade detection by security solutions.
- Use of Ransomware Executables: The group uses custom ransomware binaries tailored to each target, ensuring effective encryption and extortion capabilities .
- Persistence:
- Scheduled Tasks: They create scheduled tasks on infected systems to maintain persistence and ensure the ransomware payload executes at system startup.
- Registry Modifications: Modifying the Windows Registry to establish persistence and evade detection is another common tactic used by AM.
- Privilege Escalation:
- Credential Dumping: Tools like Mimikatz are used to dump credentials from memory, allowing the attackers to escalate privileges within the network.
- Defense Evasion:
- Obfuscation and Encryption: AM employs various obfuscation techniques and encryption methods to hide their malicious activities from antivirus and endpoint detection and response (EDR) tools.
- Disabling Security Tools: The ransomware attempts to disable or bypass security software installed on the victim’s systems to prevent detection and removal.
- Credential Access:
- Brute Force Attacks: The group uses brute force attacks to gain access to accounts with weak passwords. This is typically done after initial access is achieved to expand their foothold within the network.
- Discovery:
- Network Scanning: AM performs extensive network scanning to identify other vulnerable systems and valuable targets within the compromised network.
- Lateral Movement:
- Remote Desktop Protocol (RDP): They use compromised credentials to move laterally within the network via RDP, accessing multiple systems to deploy their ransomware payloads .
- Tools like Cobalt Strike: Utilization of Cobalt Strike for lateral movement and deployment of additional payloads is also observed.
- Collection:
- Data Exfiltration: Before encrypting files, AM exfiltrates sensitive data to use as leverage in double extortion schemes, threatening to leak the data if the ransom is not paid.
- Command and Control (C2):
- TOR and Encrypted Channels: They use TOR and encrypted communication channels to manage their operations and communicate with their deployed malware without detection .
- Exfiltration:
- Secure File Transfer Protocols: Sensitive data is exfiltrated using secure protocols to servers controlled by AM, which are often located in jurisdictions with limited cybercrime enforcement.
- Impact:
- File Encryption: The ransomware encrypts critical files on the victim’s systems, rendering them inaccessible until a ransom is paid.
- Double Extortion: Besides encrypting files, AM threatens to leak exfiltrated data if the ransom is not paid, increasing pressure on the victims to comply with their demands.