sarcoma

Also known as: Sarcoma Ransomware Group, sarcoma

Sarcoma is a ransomware group that emerged in October 2024 and has been actively targeting various organizations. Sarcoma’s attack methods include phishing campaigns, exploiting n-day vulnerabilities, and supply chain attacks. Once inside a network, they use RDP exploitation, lateral movement, and data exfiltration tactics. Sarcoma has claimed responsibility for attacks against Unimicron, a PCB manufacturer, Kelowna Springs Golf Club, Popular Life Insurance, CP Construplan, ADT Freight Services Australia, Micon National. These attacks have resulted in data exfiltration, with Sarcoma threatening to leak or having already leaked stolen data. Specifically, Sarcoma has exfiltrated 377 GB of SQL files and sensitive documents from Unimicron, 3.8 GB of data from Kelowna Springs, 36 GB of data from Popular Life Insurance, 2 GB of data from ADT Freight Services Australia, and 34 GB of data from Micon National. The group is known for its aggressive tactics against industrial organizations.

Energy Technology Manufacturing Services Financial Agriculture Retail Private sector Hospitality Transportation

Targeted Victims

Italy United States Germany Taiwan Spain Dominican Republic Mexico South Africa Oman Pakistan Austria Peru Australia United Arab Emirates Canada Malaysia France Bulgaria New Zealand Qatar Kuwait Philippines United Kingdom

Introduction

Sarcoma is a ransomware group that emerged in October 2024 and has been actively targeting various organizations. Sarcoma’s attack methods include phishing campaigns, exploiting n-day vulnerabilities, and supply chain attacks. Once inside a network, they use RDP exploitation, lateral movement, and data exfiltration tactics. Sarcoma has claimed responsibility for attacks against Unimicron, a PCB manufacturer, Kelowna Springs Golf Club, Popular Life Insurance, CP Construplan, ADT Freight Services Australia, Micon National. These attacks have resulted in data exfiltration, with Sarcoma threatening to leak or having already leaked stolen data. Specifically, Sarcoma has exfiltrated 377 GB of SQL files and sensitive documents from Unimicron, 3.8 GB of data from Kelowna Springs, 36 GB of data from Popular Life Insurance, 2 GB of data from ADT Freight Services Australia, and 34 GB of data from Micon National. The group is known for its aggressive tactics against industrial organizations.

Activities and Tactics

Targeted Sectors: Energy, Technology, Manufacturing, Services, Financial, Agriculture, Retail, Private sector, Hospitality, Transportation

Suspected Victims: Italy, United States, Germany, Taiwan, Spain, Dominican Republic, Mexico, South Africa, Oman, Pakistan…

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • Arcom:
  • Xploit:

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.