New report warns of sophisticated techniques being used by ransomware group Arcus Media – News

A new report out today from anti-ransomware and cyber resilience platform provider Halcyon Tech Inc. details the increasingly sophisticated techniques used by the Arcus Media ransomware group.

Not particularly well-known, Arcus Media first emerged in June and has been linked to ransomware attacks on companies, including DatAnalitica. The ransomware group uses the popular double extortion model in that it both encrypts data and steals it, threatening to publish the stolen data if a ransom is not paid.

Where the group has become interesting, at least from a technical perspective, is some of the ways that it is approaching ransomware attacks. Arcus Media stands out through its ability to elevate privileges when administrative access is unavailable. Using the ShellExecuteExW application programming interface, the ransomware re-executes itself with elevated permissions, ensuring its processes can proceed uninterrupted.

The ransomware employs targeted process termination to maximize disruption within affected organizations. The malware used by Arcus Media terminates business-critical applications, including SQL servers and email clients, using the CreateToolhelp32Snapshot API to identify and halt specific processes.

Arcus Media’s encryption techniques are also noted in the report as highly advanced, leveraging the ChaCha20 cipher for encrypting files and RSA-2048 for securing encryption keys. Larger files are only partially encrypted, balancing speed with effectiveness while appending a unique “[Encrypted].Arcus” file extension.

Before encryption begins, the ransomware systematically deletes shadow backups and disables recovery systems to prevent victims from restoring their data. Commands such as vssadmin delete shadows and wevtutil cl Security are used to erase critical system recovery points and logs.

Persistence mechanisms are also another critical component, as Arcus Media creates registry autostart entries to ensure the malware reloads even after a system reboot. Although the report notes that there is a bug in this feature that sometimes causes issues, the overall design emphasizes maintaining control over infected systems.

Command-and-control operations rely on TOR and encrypted channels, ensuring stealthy communication.

“Arcus Media’s relentless tactics highlight the growing sophistication of modern ransomware groups, making them a significant cybersecurity adversary,” Halcyon’s researchers write. “Given the group’s typical mechanisms for performing ransomware operations, the key message for defenders is that ransomware does not need to be novel for success.”

Image: News/Ideogram