Sarcoma Ransomware Unveiled: Anatomy of a Double Extortion Gang
Summary:
Sarcoma Ransomware has rapidly established itself as one of the most aggressive ransomware groups since its emergence in October 2024. Within a short span, the group has executed numerous successful attacks across multiple sectors and countries, including high-profile incidents involving Unimicron and The ToolShed. Sarcoma is known for employing advanced techniques, such as zero-day exploits, remote monitoring and management (RMM) tools, and data exfiltration tactics, often leading to operational disruptions and large-scale data breaches, such as the 40 GB exfiltration from Smart Media Group in Bulgaria. A key feature of the group’s tactics is the use of double extortion, in which both encryption and data theft are leveraged to pressure victims into payment. The group targets primarily mid-sized organizations with revenue between $1 million and $50 million, possibly due to a balance between the ability to pay and less mature cybersecurity defenses. Geographically, the United States has the highest number of known victims, followed by Australia, Italy, and Canada. This aligns with broader ransomware trends that focus on Western nations likely to pay ransoms and maintain strong breach reporting standards. The malware is notably configured to avoid systems using the Uzbek keyboard layout, suggesting a potential origin in or operational ties to Uzbekistan, while notably not excluding systems in other CIS countries unusual behavior among ransomware groups, which often avoid those regions to evade local law enforcement.
Technical analysis reveals that Sarcoma ransomware employs sophisticated evasion, propagation, and encryption techniques. The Windows variant uses the Crypto++ library for encryption, integrates geolocation-based evasion through keyboard layout checks, and relies on obfuscated PowerShell scripts to disable database services, erase traces, and encrypt files using a hybrid ChaCha20 and RSA scheme. It propagates laterally within networks by identifying reachable devices through ARP table analysis, then uses SMB and scheduled tasks for remote payload deployment. The Linux version mirrors much of this behavior, substituting libraries like LibTomCrypt and targeting hypervisors through VMware’s vim-cmd to delete snapshots and reduce recovery options.
Security Officer Comments:
The malware avoids encrypting system and executable files by excluding specific extensions and directories, reducing the likelihood of immediate detection. Once files are encrypted, Sarcoma writes ransom notes in affected directories and maintains logs if debugging is enabled. The combination of efficient symmetric encryption with RSA key wrapping secures file access exclusively for the attackers.
Sarcoma’s behavior, including its limited CIS region exclusions and use of refined techniques, reflects an experienced and well-resourced threat actor. While its precise affiliations remain unclear, its operations follow a pattern observed in many established ransomware syndicates that work with Initial Access Brokers to gain entry and focus on rapid monetization.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://securityaffairs.com/178072/...eiled-anatomy-of-a-double-extortion-gang.html
Sarcoma Ransomware has rapidly established itself as one of the most aggressive ransomware groups since its emergence in October 2024. Within a short span, the group has executed numerous successful attacks across multiple sectors and countries, including high-profile incidents involving Unimicron and The ToolShed. Sarcoma is known for employing advanced techniques, such as zero-day exploits, remote monitoring and management (RMM) tools, and data exfiltration tactics, often leading to operational disruptions and large-scale data breaches, such as the 40 GB exfiltration from Smart Media Group in Bulgaria. A key feature of the group’s tactics is the use of double extortion, in which both encryption and data theft are leveraged to pressure victims into payment. The group targets primarily mid-sized organizations with revenue between $1 million and $50 million, possibly due to a balance between the ability to pay and less mature cybersecurity defenses. Geographically, the United States has the highest number of known victims, followed by Australia, Italy, and Canada. This aligns with broader ransomware trends that focus on Western nations likely to pay ransoms and maintain strong breach reporting standards. The malware is notably configured to avoid systems using the Uzbek keyboard layout, suggesting a potential origin in or operational ties to Uzbekistan, while notably not excluding systems in other CIS countries unusual behavior among ransomware groups, which often avoid those regions to evade local law enforcement.
Technical analysis reveals that Sarcoma ransomware employs sophisticated evasion, propagation, and encryption techniques. The Windows variant uses the Crypto++ library for encryption, integrates geolocation-based evasion through keyboard layout checks, and relies on obfuscated PowerShell scripts to disable database services, erase traces, and encrypt files using a hybrid ChaCha20 and RSA scheme. It propagates laterally within networks by identifying reachable devices through ARP table analysis, then uses SMB and scheduled tasks for remote payload deployment. The Linux version mirrors much of this behavior, substituting libraries like LibTomCrypt and targeting hypervisors through VMware’s vim-cmd to delete snapshots and reduce recovery options.
Security Officer Comments:
The malware avoids encrypting system and executable files by excluding specific extensions and directories, reducing the likelihood of immediate detection. Once files are encrypted, Sarcoma writes ransom notes in affected directories and maintains logs if debugging is enabled. The combination of efficient symmetric encryption with RSA key wrapping secures file access exclusively for the attackers.
Sarcoma’s behavior, including its limited CIS region exclusions and use of refined techniques, reflects an experienced and well-resourced threat actor. While its precise affiliations remain unclear, its operations follow a pattern observed in many established ransomware syndicates that work with Initial Access Brokers to gain entry and focus on rapid monetization.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://securityaffairs.com/178072/...eiled-anatomy-of-a-double-extortion-gang.html