Emerging Threat Actor: Arcus Media Ransomware

Arcus Media has rapidly emerged as a technically advanced ransomware-as-a-service (RaaS) operation since debuting in May 2024. The group quickly made a name for itself through a series of high-impact attacks and is notable for using custom-built malware developed in-house, rather than relying on leaked or recycled code.  

Arcus Media operates under a closed affiliate model that requires referrals and vetting, helping the group maintain tight operational security and limit exposure. Within just months of launching, the group was linked to more than 50 confirmed attacks, an early indication of its scale and coordination.

While not tied to any known legacy ransomware brands, Arcus Media’s structure and tactics, including selective encryption, recovery sabotage, and targeted victim profiling, closely echo those used by past operations like REvil and DarkSide.  

Initial access is typically gained via phishing or through credentials obtained from Initial Access Brokers (IABs). Once inside, Arcus Media deploys its custom ransomware through obfuscated scripts and loaders, enabling stealthy execution and flexible delivery across environments.

The ransomware encrypts files selectively using AES, with RSA securing key exchanges to balance speed and disruption. The group employs credential harvesting tools like Mimikatz, uses process injection and anti-debugging techniques to bypass defenses, and disables endpoint protection tools.  

It also halts recovery processes, deletes shadow copies, and uses registry changes and scheduled tasks to establish persistence and ensure access through system reboots. This modular architecture and adaptable toolset give Arcus Media the ability to deliver fast, crippling, and difficult-to-recover-from attacks.

Targeting spans a wide range of industries including media, healthcare, business services, retail, and manufacturing, highlighting an opportunistic focus on organizations with sensitive or high-value data. Attacks have been observed across North America, Europe, and parts of Asia, signaling a growing global reach.  

Arcus Media operates a structured RaaS model in which affiliates retain around 70% of ransom proceeds, with the core group keeping 30%. The group consistently uses double extortion tactics: exfiltrating sensitive data before encryption and leveraging public leak sites to intensify pressure on victims.

Since its launch, Arcus Media has continued to accelerate, now linked to more than 75 confirmed ransomware incidents, reflecting its increasing operational tempo and the expansion of its selectively vetted affiliate network. While specific ransom demands remain undisclosed, early reporting suggests that Arcus Media tailors its demands to each victim size and sector, with ransom amounts ranging from several hundred thousand to multiple millions of dollars.  

This blend of custom tooling, disciplined execution, and strategic targeting has quickly positioned Arcus Media as a significant and fast-growing threat in the ransomware landscape.

Halcyon is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to fill endpoint protection gaps and defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture and automated decryption, and exfiltration and extortion prevention.