Threat Research

Dark Web Profile: Sarcoma Ransomware

SocRadar
Dark Web Profile: Sarcoma Ransomware

Sarcoma is a fast-emerging ransomware group (late 2024) that combines data theft with encryption and aggressive double-extortion tactics, targeting mid-market and larger organizations—especially in manufacturing, technology and construction—primarily in the United States, Italy and Canada. The group operates a controlled RaaS-style model, targets Windows, Linux and ESXi environments, and uses techniques including credential theft, zero-day exploits, anti-recovery steps and public leak pressure. #Sarcoma #ChaCha20

Keypoints

  • Sarcoma appeared in late 2024 and quickly launched global double-extortion campaigns that combine data exfiltration with fast multi-threaded encryption to increase leverage.
  • The group operates a Ransomware-as-a-Service–style model with a compact core team and selective partners, favoring disciplined, centralized campaign management over an open affiliate program.
  • Targets are chosen for commercial leverage—manufacturing, technology and construction top the list—focusing on mid-market and larger firms in Western jurisdictions (notably the US, Italy and Canada).
  • Initial access methods include phishing, stolen or purchased credentials, exploits of unpatched internet-facing services (including reported zero-days) and compromise of third-party providers.
  • Attack lifecycle: reconnaissance, credential harvesting and lateral movement using low-noise legitimate channels, data staging and paced exfiltration, then rapid encryption (ChaCha20 + RSA) and publication/negotiation on a leak site.
  • Operators implement anti-recovery tactics for virtualized environments (removing snapshots, interfering with hypervisor restore points) and runtime checks to avoid execution in certain locales.
  • Defensive recommendations emphasize layered controls: MFA, patching, segmentation, behavior-based detection, secure tested backups, vendor security, incident response exercises and dark-web monitoring.

MITRE Techniques

  • [T1566] Phishing – Sarcoma uses tailored phishing to gain initial access. Quote: ‘The group commonly uses tailored phishing and stolen or purchased credentials, exploits unpatched internet-facing services, and sometimes pivots in through compromised third-party providers.’
  • [T1078] Valid Accounts – Use of stolen or purchased credentials to access environments and escalate privileges. Quote: ‘After a foothold, the attackers harvest accounts and escalate privileges to reach domain controllers, backup repositories, and other high-value targets.’
  • [T1190] Exploit Public-Facing Application – Exploits unpatched internet-facing services and reported zero-day vulnerabilities for initial access. Quote: ‘Many Sarcoma incidents begin with unpatched appliances or web services.’
  • [T1550] Use of Alternate Authentication Material – Use of legitimate remote administration channels and authenticated techniques for lateral movement. Quote: ‘They rely on authenticated, low-noise techniques and legitimate remote administration channels to move across hosts while minimizing detectable artifacts.’
  • [T1059] Command and Scripting Interpreter – Use of obfuscated scripts and built-in utilities to blend malicious actions into normal behavior. Quote: ‘The group blends malicious actions into normal system behavior by using built-in utilities, scheduled tasks, and obfuscated scripts.’
  • [T1486] Data Encrypted for Impact – Deployment of a fast, multi-threaded encryptor using ChaCha20 for bulk encryption and RSA to wrap session keys. Quote: ‘The ransomware uses a hybrid cryptographic design, with ChaCha20 for bulk file encryption and RSA to wrap session keys.’
  • [T1020] Automated Exfiltration – Data staging, compression and paced transfer of large datasets to attacker-controlled infrastructure. Quote: ‘Before encryption, Sarcoma collects, compresses and stages large datasets, then transfers those archives to infrastructure they control.’
  • [T1490] Inhibit System Recovery – Removal of snapshots and interference with hypervisor-level restore points to limit rollback and recovery. Quote: ‘Against virtualized environments the operators take extra steps to limit rollback and recovery, for example by removing snapshots or otherwise interfering with hypervisor-level restore points.’
  • [T1363] Data Staged – Staging of exfiltration archives prior to transfer. Quote: ‘Sarcoma collects, compresses and stages large datasets, then transfers those archives to infrastructure they control.’
  • [T1531] Account Discovery – Harvesting accounts and escalating privileges to identify domain controllers and backup repositories. Quote: ‘After a foothold, the attackers harvest accounts and escalate privileges to reach domain controllers, backup repositories, and other high-value targets.’

Indicators of Compromise

  • [Domains ] leak site and negotiation portal references – Sarcoma data leak site and private negotiation portals (no explicit domain examples provided in article).
  • [File Names/Artifacts ] encryptor and binaries – Windows C++ sample and native C/C++ Linux binary using ChaCha20+RSA (no hashes given).
  • [Environments/Targets ] impacted hosts – Windows, Linux and ESXi virtual hosts observed as targets.
  • [Access Methods ] credential artifacts – stolen/purchased credentials and compromised third-party provider access (no specific account names shown).
  • [Backup/Snapshot Artifacts ] virtualization recovery tampering – removal of snapshots and interference with hypervisor restore points as indicators of post-compromise anti-recovery actions.

Read more: https://socradar.io/dark-web-profile-sarcoma-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint