THREAT ACTOR

Sarcoma

7.1
THREAT LEVEL
EMERGENCE DATE
Oct 2024
CATEGORY
Ransomware-as-a-Service
AFFILIATIONS

Suspected technical connections to disbanded Maze and Egregor ransomware operations; possible Eastern European or Central Asian origins

DEscription

Emerging in October 2024, Sarcoma rapidly achieved third-place global ransomware status within its first month. Operating through a hybrid RaaS model with selective affiliate recruitment, the group pioneered "Living Off the Land Remotely" tactics by weaponizing legitimate Remote Monitoring and Management tools to blend malicious activity with normal IT operations. Ransom demands escalated from mid-five figures to over $1 million by mid-2025, while suspected code heritage from Maze and Egregor operations suggests experienced operator involvement.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Ransomware-as-a-Service (RaaS)

Sarcoma operates through a hybrid RaaS model with selective affiliate recruitment following a 70/30 revenue split favoring affiliates. Core operators maintain malware infrastructure, develop encryption logic, and run dark web leak sites, while affiliates execute attacks and handle victim negotiations. The group draws on double extortion tactics, combining file encryption with data theft to pressure victims from both operational disruption and exposure risk.

Data exfiltration uses Rclone, WinSCP, and cURL before encryption, then threatens publication on leak sites. Code-level similarities to Maze and Egregor ransomware families suggest inherited infrastructure or experienced talent.

Current Status: Fully operational as of October 2025 with zero government advisories or law enforcement actions despite 100+ documented victims

Threat Level:
7.1

Origins and Methodology

Distinguished by unprecedented velocity achieving top-10 global status within its first month and systematic abuse of legitimate Remote Monitoring and Management tools for stealthy reconnaissance that bypasses traditional security monitoring. Cross-platform capabilities spanning Windows, Linux, and VMware ESXi environments combined with confirmed zero-day exploitation render data recovery impossible without attacker cooperation.

What is the Evolution of Sarcoma Ransomware?
0.1
Formation

First appearing in October 2024 with 31 victims in the first month, immediately positioning the threat as third most active globally behind only RansomHub and Play. During October 9-15, 2024, the group accounted for 20% of all ransomware victims worldwide.

Professional TOR-based leak site infrastructure and multithreaded encryption implementation from day one suggest experienced operator involvement. The three-year gap between Egregor disruption in 2021 and emergence aligns with typical operational reconstitution periods.

0.2
EVOLUTION

Initial months focused on Windows environments with basic encryption and single-tool exfiltration. Around late 2024 through early 2025, capabilities expanded to include VMware ESXi support for cross-platform operations. Data exfiltration methodology evolved from single-tool approaches to diverse toolkit deployment including Rclone, WinSCP, and cURL with systematic compression.

Defense evasion techniques incorporated AMSI bypasses, Living-off-the-Land Binary tactics, and systematic RMM tool abuse. Current operations since mid-2025 show ransom demands escalating from mid-five figures to over $1 million for enterprise targets. Advancement from EMERGING to CONTENDERS classification within six months reflects sustained growth trajectory.

0.3
Lineage/Connections

Technical analysis reveals code-level similarities to Maze ransomware that operated 2019-2020 pioneering double extortion before shutdown in October 2020. Egregor emerged in late 2020 using shared code bases and operated through early 2021 until law enforcement disruption. Researchers identified architectural choices including multithreaded encryption, strategic directory avoidance, and professional TOR-based leak site design mirroring Maze and Egregor methodologies.

Which Unique Techniques Does Sarcoma Use?

Attack methodology centers on exploiting internet-facing vulnerabilities and leveraging legitimate administrative tools for reconnaissance before deploying double extortion.

Key Features & Technical Details

Cross-platform ransomware supporting Windows, Linux, and VMware ESXi environments with multithreaded encryption avoiding system-critical directories.

TECHNIQUE

DETAILS

Infection Vectors

Exploitation of vulnerable Citrix, Fortinet, and Microsoft Exchange servers; phishing campaigns with spearphishing attachments; Remote Desktop Protocol exploitation targeting misconfigured services. Confirmed zero-day vulnerability exploitation in October 2024 attack.

Target Selection

Mid-market organizations with revenues between $1-10 million USD representing the sweet spot of substantial resources without enterprise-level security. Focuses on sensitive data including legal case files, manufacturing designs, patient records, and personally identifiable information. Supply chain targeting compromises third-party providers for access to multiple downstream clients.

Operational Complexity

Multi-stage attack chains employing legitimate Remote Monitoring and Management tools for network discovery before payload deployment. Systematic data exfiltration precedes encryption using compressed archives transferred to cloud storage. Professional TOR portal communications with aggressive 7-day deadlines.

FEATURE

DETAILS

Encryption Method

Hybrid encryption combining ChaCha20 stream cipher with RSA-4096 asymmetric encryption; alternative reporting documents AES-256 with RSA-2048. Both implementations utilize CryptoPP library functions with multithreaded architecture for rapid encryption.

File Extension

.sarcoma, .srcma, and victim-specific custom variants

Ransom Note

FAIL_STATE_NOTIFICATION.pdf with 7-day deadline threatening data publication or darknet sale

Double Extortion

Systematic exfiltration using Rclone (57% of incidents), WinSCP, and cURL with 7z.exe compression to Google Drive, Amazon S3, Mega, and temp.sh. Data volumes average 40-100GB for mid-market targets with largest theft of 1.3TB.

Communication Channels

TOR-based infrastructure with 15+ .onion domains for leak sites and negotiation portals featuring countdown timers and sample data publication

Deployment Speed

Rapid multithreaded encryption with systematic Volume Shadow Copy deletion via vssadmin.exe delete shadows /all eliminating recovery options

Payment Method

Bitcoin and other cryptocurrencies with straightforward laundering through single intermediary addresses before exchange deposits

Operational Model

RaaS platform with selective affiliate recruitment, 70/30 profit split favoring affiliates. Core operators maintain infrastructure, affiliates execute attacks.

Activities

Operations launched October 2024 with 31 attacks in the first month, reaching 58 by year-end and exceeding 116 documented victims through mid-2025. Ransom demands escalated from mid-five figures to over $1 million by Q2 2025. Q3 2025 showed at least 15 attacks with equal US and German targeting, including coordinated September strikes in Germany.

Primary operations concentrate on United States (approximately 50% of incidents) with significant activity across Australia, Canada, Germany, Italy, United Kingdom, Japan, and Spain. Geographic avoidance of Uzbekistan systems indicates Eastern European or Central Asian origins.

Which Industries Are Most Vulnerable to Sarcoma?

Targeting shows volume-driven approach across manufacturing, retail, business services, healthcare, legal services, finance, and critical infrastructure with no sector preference above 20%. Supply chain methodology targets third-party providers to reach multiple downstream clients.

HAL Most Recent Attacks

Modus Operandi

Multi-stage attacks leverage vulnerability exploitation and legitimate administrative tools before deploying double extortion.

Details

Exploit Public-Facing Application (T1190) targeting Citrix, Fortinet, and Microsoft Exchange servers; Phishing (T1566) campaigns with spearphishing attachments; External Remote Services (T1133) via Remote Desktop Protocol targeting misconfigured services. Confirmed zero-day exploitation in October 2024 attack combined with RMM tools for network

Details

Remote System Discovery (T1018) through Remote Monitoring and Management tools for network reconnaissance; System Information Discovery (T1082) for high-value target identification; File and Directory Discovery (T1083) enumerating file systems for exfiltration targets.

Details

Abuse of legitimate Remote Monitoring and Management software for reconnaissance, lateral movement, and privilege escalation blending with normal IT traffic. Exploitation of Remote Desktop Protocol, AnyDesk, and PsExec for lateral movement.

Details

Process Injection (T1055) evading security solutions; Indicator Removal (T1070) hiding compromise evidence; DLL Side-Loading (T1574.002) executing malicious code; Obfuscated Files or Information (T1027) with encrypted payloads. Impair Defenses: Disable or Modify Tools (T1562.001) terminating security processes; Modify Registry (T1112) for persistence and evasion.

Details

OS Credential Dumping (T1003) using tools including Mimikatz for lateral movement; Brute Force (T1110) supplementing access techniques; exploitation of vulnerable accounts for administrative access.

Details

Application Layer Protocol (T1071) with encrypted channels to C2 servers; Ingress Tool Transfer (T1105) transferring additional tools; Proxy (T1090) utilizing TOR infrastructure for anonymization.

Details

Remote Services (T1021) exploiting RDP, AnyDesk, and PsExec; Use Alternate Authentication Material (T1550) with pass-the-hash and pass-the-ticket attacks using dumped credentials.

Details

Exfiltration Over Alternative Protocol (T1048) using Rclone (57% of incidents), WinSCP, and cURL; Exfiltration Over Web Service (T1567) leveraging Google Drive, Amazon S3, Mega, and temp.sh; Archive Collected Data (T1560) via 7z.exe compression.

Details

Scheduled Task/Job (T1053.003) creating tasks for periodic execution; Event Triggered Execution (T1546.011) mechanisms; Modify Registry (T1112) ensuring persistence after reboots.

Details

Operational disruption through rapid encryption combined with data exposure threats; systematic Volume Shadow Copy deletion prevents recovery without attacker cooperation; average victim downtime ranges 1-3 weeks.

Details

Data Encrypted for Impact (T1486) with multithreaded encryption targeting Windows, Linux, and VMware ESXi while avoiding system-critical directories.

Details

Professional TOR portal communications with 7-day deadlines; FAIL_STATE_NOTIFICATION.pdf ransom notes threatening data publication or darknet sale; sample data publication with countdown timers. Demands escalated from mid-five figures to over $1 million by Q2 2025.

Details

Inhibit System Recovery (T1490) executing commands eliminating Volume Shadow Copies; Service Stop (T1489) terminating critical services before encryption.

Indicators of Compromise (IOCs)

Limited traditional IOCs exist in public sources; organizations should prioritize behavioral detection over signature-based approaches.

INDICATOR

DETAILS

File Hashes

No publicly disclosed file hashes available; custom detection signatures remain behind private access portals

IP Addresses

Specific C2 server addresses not publicly disclosed; infrastructure ties to Eastern Europe and Asia assessed through operational patterns

Domains/URLs

sarcomawmawlhov7o5mdhz4eszxxlkyaoiyiy2b5iwxnds2dmb4jakad.onion (primary leak site)
54yjkjwjqbm74nchm6o6b4l775ws2hgesdopus5jvo3jx6ftj7zn7mid.onion (infrastructure)
55lfxollcks2pvxbtg73vrpl3i7x4jnnrxfl6al6viamwngqlu4cxgyd.onion (infrastructure)
At least 15 TOR domains documented

File Paths

FAIL_STATE_NOTIFICATION.pdf (ransom note)
Tool artifacts including 7z.exe, Rclone configuration files, WinSCP logs, cURL execution artifacts

File Extensions

.sarcoma (encrypted files)
.srcma (encrypted files)
Victim-specific custom variants

Exploits and Vulnerabilities

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

N/A

Not Disclosed

N/A

Specific CVE numbers not publicly attributed despite confirmed exploitation of Citrix, Fortinet, Microsoft Exchange vulnerabilities and zero-day capabilities

Additional Attack Vectors: Remote Desktop Protocol exploitation targeting misconfigured services; phishing campaigns with spearphishing attachments; supply chain compromise targeting third-party providers