A new ransomware group called Arcus Media, which has been active since June 2024, has been observed using sophisticated privilege escalation and encryption methods, SIliconAngle reports.
The report by cybersecurity firm Halcyon Tech noted that the group is not widely recognized, having been associated with attacks on companies such as DatAnalitica and known to employ a double extortion strategy, encrypting stolen data and threatening to publish it unless a ransom is paid. One of Arcus Media’s distinguishing features is its ability to escalate privileges when unable to obtain administrative access. It uses the ShellExecuteExW application programming interface to re-execute itself with elevated permissions and ensure that its activities remain uninterrupted. Additionally, it terminates business-critical processes, including SQL servers and email clients, to maximize operational disruption. The ransomware also employs the ChaCha20 cipher for data encryption and RSA-2048 to secure encryption keys. To enhance efficiency, it only partially encrypts large files while appending a unique file extension. Before encryption, it deletes shadow backups and disables recovery mechanisms using system commands to prevent data restoration. The malware maintains persistence through registry autostart entries. It also uses TOR and encrypted channels for stealthy command-and-control operations.
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
