THREAT ACTOR

Arcus Media

6.2
THREAT LEVEL
EMERGENCE DATE
May 2024
CATEGORY
Selective Affiliate Model
AFFILIATIONS

Operates independently with selective affiliate network. One variant shows technical connections to Phobos ransomware family

DEscription

Arcus Media emerged as a ransomware-as-a-service operation in May 2024, establishing itself as a significant threat actor in the ransomware ecosystem, particularly targeting manufacturing and healthcare organizations.

The group operates with a selective affiliate approach, implementing referral-based recruitment requiring vetting processes while conducting financially motivated operations. Following emergence during disruption of major groups like LockBit and ALPHV/BlackCat, Arcus Media evolved their technical capabilities, most notably implementing selective encryption strategies that balance speed with effectiveness.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Ransomware-as-a-Service (RaaS)

The group operates as a Restricted RaaS Platform with no confirmed organizational connections to established ransomware families, though technical analysis reveals one variant utilizing Phobos ransomware code. Arcus Media maintains a selective affiliate network with referral-based recruitment and vetting processes, operating through a closed affiliate model that prioritizes operational security over rapid expansion. This controlled access approach, combined with their technical capabilities including ChaCha20 encryption and RSA-2048 key protection, distinguishes the group from open-enrollment RaaS operations while maintaining approximately 75% revenue share with vetted affiliates.

Current Status: Active as of 2025, with more than 75 confirmed incidents through July 2025 and continued operations despite absence from official government advisories.

Threat Level:
6.2

Origins and Methodology

Arcus Media sets itself apart in the ransomware landscape through its strategic emergence timing rather than splintering from existing groups. The group is selective in targetting, focusing on entities with revenues in the hundreds of thousands to millions - organizations with substantial financial resources but limited security infrastructure.

What is the Evolution of Arcus Media Ransomware?
0.1
Formation

Emerged independently in May 2024, distinguishing itself from typical ransomware groups that splinter from established predecessors. Unlike families with clear lineage connections to earlier variants, Arcus Media appears developed with both original features and adapted code from the Phobos family.

0.2
EVOLUTION

The group's most significant evolution occurred through rapid operational scaling, achieving approximately six-fold growth from initial victims to more than seventy-five confirmed attacks by July 2025.

0.3
Lineage/Connections

Technical analysis reveals dual-variant deployment, especifically one based on Phobos ransomware family code showing file extension patterns similar to Phobos implementations, and another demonstrating custom development with unique features including automated privilege escalation via ShellExecuteExW API.

Which Unique Techniques Does Arcus Media Use?

TECHNIQUE

DETAILS

Infection Vectors

ArcusMedia employs multiple initial access methods including phishing campaigns with malicious attachments, exploitation of compromised RDP/VPN credentials obtained from Initial Access Brokers, and targeting of unpatched vulnerabilities, though no specific CVEs have been documented.

Target Selection

Strategic targeting focused on Latin American enterprises with primary concentration in Brazil, while maintaining global reach across North America, Europe, Asia-Pacific, and Africa. Primary focus includes manufacturing organizations identified as top targets, healthcare institutions, financial services, and professional services.

Operational Complexity

Operational methods leveraging advanced encryption techniques and systematic attack strategies. The group employs methodical multi-staged attack strategies encompassing comprehensive reconnaissance, lateral movement, and data exfiltration before encryption deployment.

Key Features & Technical Details

The threat actor's ransomware exhibits technical capabilities like strong encryption standards, comprehensive data theft mechanisms, and structured communication protocols.

FEATURE

DETAILS

Encryption Methods

ChaCha20 with RSA-2048 key protection. Implements selective encryption where larger files undergo partial encryption (beginning and end portions only) while smaller files are fully encrypted. Generates unique keys per file

Double Extortion

Combines traditional file encryption with comprehensive data theft. Maintains leak site on TOR with structured escalation timeline: initial threshold before leak threats, followed by final deadline

Cross-Platform

Ransomware written with variants for Windows environments. Linux/ESXi variants not confirmed. Dual-variant approach with Phobos-based and custom implementations

Monetization

Average ransom demands range from tens to hundreds of thousands based on victim profiling. RaaS model with majority revenue share to affiliates. Bitcoin primary payment method with exchange assistance provided

Communication

Directs victims to TOR portal using onion domain. Infrastructure includes Tox messenger and XMPP/Proton backup channels

Behavioral Patterns

Uses ShellExecuteExW API for privilege escalation. Deploys volume shadow copy deletion. Clears security logs. Process termination via CreateToolhelp32Snapshot and TerminateProcess APIs

Activities

Arcus Media has maintained consistent operational tempo throughout May 2024 to July 2025. The group achieved notable presence in global ransomware activity during March 2025, demonstrating sustained operations despite law enforcement pressure. Current activity shows peak performance in May 2025, positioning the group among rapidly rising ransomware operations.

Which Industries Are Most Vulnerable to Arcus Media?

Manufacturing organizations face the highest risk, with the threat actor consistently targeting this sector due to operational criticality and OT/IT convergence vulnerabilities creating payment pressure. Healthcare institutions experience targeting due to patient safety concerns and regulatory compliance pressures. While financial services attract attention for monetary incentives and valuable customer data with regulatory exposure.
Professional services face increased targeting due to SME concentration and limited security resources, and government entities in Latin America have been targeted for sensitive citizen data and critical service dependencies.

HAL Most Recent Attacks

Modus Operandi

The group uses mature operational methods through multi-stage attack architecture, leveraging both legitimate tools and custom malware to blend malicious activities with normal system operations. The group's methodical approach encompasses initial compromise through multiple vectors, followed by systematic reconnaissance, privilege escalation, and strategic data exfiltration before encryption deployment.

Details

T1566 - Phishing with malicious attachments targeting employee credentials. T1078 - Valid Accounts purchased from Initial Access Brokers. T1133 - External Remote Services compromise via RDP/VPN exploitation

Details

Comprehensive network reconnaissance using automated scanning tools, identification of high-value targets and sensitive data repositories

Details

Deployment of various backdoors for persistent access, use of legitimate remote monitoring tools to blend with normal operations

Details

T1548 - Abuse Elevation Control using ShellExecuteExW API for automatic privilege escalation. T1070 - Indicator Removal through security log clearing. T1562.001 - Disable Security Tools via process termination

Details

T1078 - Valid Accounts for persistence across multiple systems, credential harvesting from compromised systems

Details

Encrypted communications through TOR infrastructure, use of legitimate protocols to blend with normal traffic

Details

T1021 - Remote Services using compromised RDP credentials. T1570 - Lateral Tool Transfer for ransomware distribution across network shares. Living-off-the-land techniques to avoid detection

Details

T1041 - Exfiltration Over C2 Channel using TOR infrastructure. T1048 - Exfiltration Over Alternative Protocol for data theft before encryption. Double extortion preparation

Details

T1112 - Registry Modification creating autostart entries (contains coding bugs limiting effectiveness). T1547 - Boot or Logon Autostart via startup folder placement

Details

T1486 - Data Encrypted for Impact using ChaCha20/RSA-2048 with selective encryption. T1490 - Inhibit System Recovery through shadow copy deletion and log clearing. T1489 - Service Stop targeting SQL, email, Office applications

Details

T1486 - Data Encrypted for Impact using ChaCha20/RSA-2048 with selective encryption

Details

Deployment of ransom notes as info.txt, info.hta, Arcus-ReadMe.txt. Threats of public data disclosure on leak sites

Details

T1070 - Indicator Removal through security log clearing and trace deletion

Indicators of Compromise (IOCs)

Key Indicators of Compromise help identify their operations within networks, particularly specific file hashes, IP addresses, and registry paths tied to the ransomware infrastructure.

INDICATOR

DETAILS

File Hashes

SHA-256:
7B3A46605B831ACEDD7DE5FA78C4145C8D052BDDE3693ABE8D8319CB80CD365B
5F2AD6172B35B5FCC40460AF64E7C97AC5EE6726DDB8E7178FC5A6258C1E3A61
MD5:
34590105AD4B09C19F1646A61265BF2D
A47951DFEDDC650B43ABE3A02502AFC9

Domains/URLs

arcuufpr5xxbbkin4mlidt7itmr6znlppk63jbtkeguuhszmc5g7qdyd.onion - Primary TOR leak site

File Paths

C:\ProgramData - Common staging directory
C:\Users\admin\AppData\Local\AntiRecuvaDB.exe

Ransom Notes

info.txt, info.hta, Arcus-ReadMe.txt
File Extension: [Encrypted].Arcus

Exploits and Vulnerabilities

Specific exploitation techniques and targeted vulnerabilities currently remain undocumented in threat reporting.