Threat Research

Dark Web Profile: Arkana Ransomware

SocRadar
Dark Web Profile: Arkana Ransomware

Arkana Ransomware emerged in early 2025 with a high-profile attack on WideOpenWest, stealing millions of customer records and taking control of key backend systems. The group is linked to the Qilin Network RaaS platform and focuses on data extortion using stolen credentials and lateral movement rather than custom ransomware payloads. #ArkanaRansomware #QilinNetwork #WideOpenWest

Keypoints

  • Arkana Ransomware first appeared in March 2025 attacking U.S. internet provider WideOpenWest (WOW!), stealing large customer databases and backend control.
  • The group operates a dark web Data Leak Site displaying stolen data and uses psychological pressure rather than ransomware encryption in attacks.
  • Arkana is linked to Qilin Network, a major Ransomware-as-a-Service program known for custom ransomware payloads and widespread activity in 2025.
  • Victims of Arkana span multiple sectors including gambling, energy, financial services, and telecommunications, primarily in the U.S. and UK.
  • Arkana’s favored tactics include credential theft, lateral movement using tools like PsExec and AnyDesk, and data exfiltration before extortion.
  • Qilin affiliates deploy advanced tools including Cobalt Strike and custom encryption to enhance attacks and ransom negotiations.
  • Mitigation strategies include enforcing MFA, network segmentation, endpoint protection, regular backups, and dark web monitoring.

MITRE Techniques

  • [T1078] Valid Accounts – Arkana steals credentials to gain initial access (“stealing credentials” and “access backend tools after harvesting login data”).
  • [T1021] Remote Services – Use of PsExec, Citrix, and AnyDesk for lateral movement across victim networks (“use tools like PsExec or remote access software, including Citrix or AnyDesk”).
  • [T1565] Data Manipulation – Exfiltration of large customer databases and sensitive information (“extract large amounts of valuable information, like customer databases or login credentials”).
  • [T1496] Resource Hijacking – Utilizing backend systems like WOW!’s AppianCloud and Symphonica platforms (“taken control of key backend systems like WOW!’s AppianCloud and Symphonica platforms”).
  • [T1589.002] Gather Victim Identity Information: Credentials – Collection of login data from infected staff computers (“harvesting login data from an infected staff computer”).
  • [T1566] Phishing – Qilin group gaining access through phishing and malicious tools (“Qilin uses phishing, exposed services, or malicious tools”).
  • [T1059] Command and Scripting Interpreter – Usage of PowerShell loaders for malware deployment (“deploy tools like … PowerShell loaders”).

Indicators of Compromise

  • [Domains] Arkana’s dark web Data Leak Site “Arkana Security” used to post stolen data samples – domain not specified.
  • [File Names] References to main victim systems such as “AppianCloud” and “Symphonica” platforms indicating targeted backend systems.
  • [Data] Stolen databases from WideOpenWest with approximately 403,000 and 2.2 million customer records compromising personal data.
  • [Dark Web Content] 569 GB of Ticketmaster data resold by Arkana, indicating use of third-party data breaches for extortion.

Read more: https://socradar.io/dark-web-profile-arkana-ransomware/