Threat Groups

Sarcoma Ransomware Group

1. Overview

Sarcoma is a relatively new but technically competent ransomware group, first identified in early 2024. Like many contemporary cybercriminal entities, Sarcoma operates under a double extortion model, combining traditional ransomware encryption with the theft and threatened exposure of sensitive data. While still considered an emerging threat, Sarcoma’s campaigns demonstrate a high degree of intentionality, persistence, and an increasing level of sophistication.

Sarcoma is believed to operate as a closed collective, rather than a public Ransomware-as-a-Service (RaaS) model. This approach gives it greater control over operations and reduces the risk of detection from affiliate missteps. Targeting is broad but appears focused on legal, insurance, education, and manufacturing sectors, with an emphasis on organisations that maintain large stores of regulated or proprietary data.

2. Origin and Evolution

Sarcoma was first identified by incident response teams in Q1 2024, during a compromise of a UK-based architectural consultancy. The tooling used displayed code-level similarities to older ransomware strains including Maze and Egregor, suggesting the group may have inherited infrastructure or talent from earlier criminal collectives.

Since its emergence, Sarcoma has consistently updated its malware, refining encryption logic and data exfiltration routines. It also adopted cross-platform compatibility, with support for both Windows and VMware ESXi systems. The group does not appear to engage in high-volume opportunistic campaigns, instead selecting its targets with deliberate reconnaissance.

3. Tactics, Techniques, and Procedures (TTPs)

Sarcoma’s attacks follow a well-structured kill chain, involving pre-intrusion reconnaissance, stealthy access, and multistage execution:

  • Initial Access:
    Exploitation of vulnerable public-facing applications (T1190), use of stolen credentials (T1078), and spear-phishing (T1566.001) with convincing social engineering.
  • Lateral Movement:
    Remote access tools such as AnyDesk, RDP, and PsExec are used in tandem with credential dumping tools like Mimikatz (T1021, T1055).
  • Data Exfiltration:
    Tools like WinSCP and Rclone are used to extract gigabytes of sensitive data before encryption begins (T1041).
  • Encryption:
    Sarcoma uses a multithreaded AES encryption process, adding custom extensions to encrypted files. It avoids encrypting system-critical directories to ensure visibility and negotiation leverage.
  • Persistence & Evasion:
    Scheduled tasks, LOLBins, and registry key manipulation (T1112) are used to maintain access and avoid detection. The group typically disables antivirus services before executing the main payload.

4. Targeting Profile

Sarcoma has been observed targeting organisations in:

  • Legal services and intellectual property firms
  • Insurance and financial service providers
  • Architectural, construction, and engineering consultancies
  • Universities and independent research institutions

While the group’s campaigns are geographically dispersed, there is clear interest in UK-based and EU-based organisations with sensitive client records, regulated data, or large datasets vulnerable to reputational exposure.

5. Notable Campaigns and Victims

Sarcoma maintains a dark web leak site that showcases a curated list of victims. Though not as prolific as groups like LockBit or Cl0p, confirmed cases include:

  • A UK-based architectural firm handling government contracts
  • A Central European insurance provider with leaked claims data
  • A US-based medical research laboratory with sensitive intellectual property at risk

Leaked files typically include contracts, emails, payroll data, identity scans, and intellectual property assets. Sarcoma often delays publicising the breach until ransom negotiations fail.

6. Ransomware and Leak Site Behaviour

Sarcoma operates a minimalist dark web leak portal, which lists breached organisations alongside sample data and countdown clocks. Its double extortion process includes:

  1. Silent access and lateral movement across the network
  2. Data exfiltration to attacker-controlled infrastructure
  3. Encryption of business-critical data, leaving a ransom note
  4. Threat of public data release if the ransom is not paid within the stated deadline

The group offers a TOR-based negotiation portal. Communications are generally professional but firm, with threats escalating in tone if victims attempt to delay or refuse payment.

7. Technical Indicators

Observed IOCs associated with Sarcoma include:

  • File extensions: .sarcoma, .srcma, or customised per victim
  • Use of winscp.exe, rclone.exe, or 7z.exe for exfiltration
  • Scheduled tasks triggering the ransomware payload
  • Creation of registry keys disabling recovery features
  • IP addresses tied to infrastructure hosted in Eastern Europe and Asia

Custom detection signatures are available through UK Cyber Defence Ltd’s threat intelligence service.

8. Defensive Measures and Recommendations

To mitigate the risk posed by Sarcoma, organisations should:

  • Enforce MFA on all public-facing applications and admin accounts
  • Monitor and alert on PowerShell, RDP, and scheduled task creation
  • Patch known vulnerabilities, particularly in Citrix, Fortinet, and Microsoft Exchange
  • Isolate and backup critical infrastructure, with offline copies stored securely
  • Conduct incident response tabletop exercises to rehearse containment and negotiation
  • Train employees on advanced phishing detection

9. Attribution and Alliances

There is no confirmed nation-state linkage for Sarcoma. However, the group’s malware development, leak site infrastructure, and operational methods suggest involvement by individuals previously associated with Maze, Egregor, or REvil. Sarcoma does not operate as a typical affiliate-based RaaS programme, indicating a tightly managed and internally coordinated operation.

10. Conclusion

Sarcoma represents a mature and methodical ransomware threat, particularly for organisations handling sensitive, regulated, or intellectual property-rich data. Its double extortion tactics, preference for targeted intrusions, and technical sophistication make it a group of growing concern. UK organisations in legal, engineering, and financial sectors should ensure robust threat detection, segmentation, and response capabilities are in place.

Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025

  • 31 Views

you may also like

Kettering Health crippled by ransomware: 14 hospitals on emergency reroute

On May 20, 2025, Kettering Health’s network was hit by a ransomware attack, forcing 14 hospitals to switch to emergency reroutes and manual operations. The attack spread rapidly across critical systems due to undetected lateral movement, highlighting gaps in early threat detection. Patients reported suspicious calls, indicating potential data misuse. This incident underscores the urgent need for healthcare organizations to strengthen identity security, implement layered defenses, and prepare robust response plans.

Pro-Russian Cyber Activity: Hybrid Threats and the UK Response

An insights article assessing pro-Russian cyber activity with a situational briefing on hybrid threats to UK-aligned institutions. Includes a side-by-side comparison of key threat groups including KillNet, NoName057(16), and XakNet.

Donation-Based Ransomware Groups

An insights article comparing donation-model ransomware operators such as MalasLocker, exploring the ethics, tactics, and implications of threat actors who demand charitable giving instead of cryptocurrency payments.

Western Alliance Data Breach Tied to Cleo Software Flaw

Western Alliance Bank confirmed a data breach in April 2025 linked to a vulnerability in Cleo Integration Cloud. The breach, attributed to the Cl0p ransomware group, underscores the growing risks from third-party software vulnerabilities. Learn how the bank is responding and the increasing role of SOC in protecting financial institutions.

DBS Data Breach 2025: Ransomware Attack Exposes 11,000 Customers

An insights article examining the 2025 DBS data breach, focusing on how a ransomware attack on vendor Toppan Next Tech exposed thousands of customer records, and what it reveals about the growing threat of third-party supply chain vulnerabilities in the financial sector.

Emerging Ransomware Threats and Securing Open-Source Email Infrastructure

An insights article highlighting the rise of unconventional ransomware groups targeting open-source email platforms like Zimbra, including a technical bulletin with actionable guidance for UK organisations.

Stay Informed. Stay Secure.

Subscribe to our newsletter.
Linkedin-in
© 2025 CyberDefence