Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | Dark Web Profile: Arkana Ransomware
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | Dark Web Profile: Fox Kitten
Dark Web Profile: Fox Kitten
Jun 15, 2026
SOCRadar® Cyber Intelligence Inc. | Iran Hajj Organization Data Claim, Crypto Leads Sale, APT43 Tooling Claim, Sweden User Data, and Chrysler Breach Claim
Iran Hajj Organization Data Claim, Crypto Leads Sale, APT43 Tooling Claim, Sweden User Data, and Chrysler Breach Claim
Jun 15, 2026
SOCRadar® Cyber Intelligence Inc. | Dark Web Profile: Rock
Dark Web Profile: Rock
Jun 12, 2026
SOCRadar® Cyber Intelligence Inc. | New Data Extortion Group “Pink” Goes Big Game Hunting With Evasive Phishing Kits
New Data Extortion Group “Pink” Goes Big Game Hunting With Evasive Phishing Kits
Jun 12, 2026
SOCRadar® Cyber Intelligence Inc. | Dark Web Profile: Tengu Ransomware (Shisa)
Dark Web Profile: Tengu Ransomware (Shisa)
Jun 11, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Jul 10, 2025
8 Mins Read
Moon

Dark Web Profile: Arkana Ransomware

Arkana Ransomware emerged in early 2025, made its debut with a bold attack on WideOpenWest (WOW!), a U.S. internet provider, in late March 2025. The group claimed to have stolen two databases (around 403,000 and 2.2 million customer records) and taken control of key backend systems like WOW!’s AppianCloud and Symphonica platforms.

But, what is Arkana doing now?

Their Data Leak Site (DLS) displays this image across the Ransom, Sale, and Leak sections.

Their Data Leak Site (DLS) displays this image across the Ransom, Sale, and Leak sections.

They are part of a bigger threat: Qilin Network, the growing RaaS program from Qilin Ransomware, the most active group in 2025 so far.

About & Contact section of Arkana Ransomware’s DLS showcasing Qilin’s logo

About & Contact section of Arkana Ransomware’s DLS showcasing Qilin’s logo

Who is Arkana Ransomware?

Arkana made its first major appearance in March 2025 with a claimed attack on WideOpenWest (WOW!), a U.S. internet provider. They claimed to have stolen two large customer databases and taken control of key backend systems. Their leak site, “Arkana Security,” showcases stolen data samples and lists victims under Ransom, Sale, and Leak sections.

Some messages from the group use Russian-language Cyrillic, suggesting a Russian-speaking background. While their exact identity is unknown, now it looks like Arkana may be tied to the expanding Qilin Network, a Ransomware-as-a-Service (RaaS) platform run by the Qilin Ransomware group, one of the most active cybercrime operations in 2025. Arkana tries to present itself as a “post-penetration testing” service, offering to help companies with security—for a fee—but this is just a cover for their extortion tactics.

Threat actor card for Arkana Ransomware

Threat actor card for Arkana Ransomware

Despite major shifts in the ransomware scene during 2025, such as the sudden shutdown of RaaS groups like RansomHub, Arkana has not formally announced a merger, rebrand, or official alliance. However, there are signs of growing alignment with Qilin. On Arkana’s dark web site, the “About & Contact” page features the Qilin Network logo, suggesting at least some form of connection or shared infrastructure.

This visual link hints at a possible relationship, even if Arkana’s site and branding remain otherwise separate. So far, there have been no public statements, redirects, or technical indicators (like joint leak posts) confirming a full merger.

What are Arkana Ransomware’s Targets?

As of summer 2025 their DLS is still live. In June, Arkana tried to sell 569 GB of Ticketmaster data stolen earlier by ShinyHunters, showing a shift toward reselling third-party data. Arkana has not released new malware but claimed major breaches, including a UK mining firm in May and a UK financial company in June.

  • 66.7% of Arkana’s victims are in the United States, 33.3% in the United Kingdom.
  • Victims span several sectors: Gambling, Consumer Services, Energy, Technology, Financial Services, and Telecommunication, each making up 16.7%.
  • The first victim was recorded on March 25, 2025, and the most recent on June 6, 2025.
Victim stats for Arkana Ransomware

Victim stats for Arkana Ransomware

What Are Arkana Ransomware’s Techniques?

The group most probably usually gains access by stealing credentials. Once they get valid login details, they move through internal systems like billing or admin platforms. In at least one confirmed case, Arkana accessed backend tools after harvesting login data from an infected staff computer.

After gaining initial access, Arkana performs lateral movement. They use tools like PsExec or remote access software, including Citrix or AnyDesk. These help them explore the victim’s network further and collect data. Their goal is to extract large amounts of valuable information, like customer databases or login credentials.

After stealing the data, they use a DLS site to pressure victims. This site includes a “Wall of Shame” where they post samples of the stolen data and sometimes even personal information about company executives. They also use creative scare tactics—like releasing a video to show they had full access to a victim’s systems.

There were signs that Arkana hadn’t yet used a custom ransomware payload. They focused instead on psychological pressure and public exposure to push victims into paying. This approach made them look more like a data extortion group than a typical ransomware gang. But with Qilin now in the picture, the whole equation changes.

Possible Link to Qilin Ransomware

Qilin, also known as Agenda, gives affiliates access to custom ransomware payloads built in Rust or Go. Affiliates can adjust the encryption method, file extension, ransom notes, and more. In return, Qilin takes a cut of the ransom, usually around 15% to 20%.

Qilin uses many of the same techniques as Arkana, but with added encryption. They gain access through phishing, exposed services, or malicious tools. After getting into a system, they deploy tools like Cobalt Strike, PowerShell loaders, and browser credential dumpers. They are known for exfiltrating sensitive data before encryption, allowing them to pressure victims in two ways: by locking systems and by threatening to leak data.

Qilin targets a wide range of industries, especially healthcare, manufacturing, education, and government. Their operations are smooth and organized. They even offer technical and legal support to affiliates. All these factors make Qilin one of the fastest-growing ransomware groups in 2025.

To learn more about Qilin, you can visit their profile here:

What Are the Mitigation Tactics Against Arkana & Qilin Ransomware?

Defending against Arkana and Qilin requires slightly different approaches, but many of the core practices overlap due to their shared reliance on stolen credentials, lateral movement, and data exfiltration.

1. Credential Security

  • Enforce strong password policies and use Multi-Factor Authentication (MFA), especially for VPN, RDP, and internal admin tools.
  • Monitor for leaked credentials on dark web markets to catch early warning signs of compromise.
  • Educate employees on phishing tactics, as both groups often rely on stolen access from malware-infected devices.

2. Network Segmentation and Access Control

  • Restrict access to sensitive systems using least-privilege principles.
  • Segment internal networks to limit lateral movement if one device gets compromised.
  • Disable unused RDP ports and monitor for unexpected remote access attempts.

3. Endpoint and Email Protection

  • Deploy advanced endpoint detection and response (EDR) solutions to detect malicious tools like PsExec, Cobalt Strike, or remote access software.
  • Use spam filters and email security to block phishing attachments or links.

4. Backup and Recovery Planning

  • Maintain regular, tested backups stored offline or in a secure cloud environment.
  • Ensure backups include configurations and are isolated from the main network.

5. Data Loss Prevention (DLP) and Exfiltration Monitoring

  • Use DLP tools to detect and block large outbound data transfers.
  • Monitor for unauthorized compression tools or unusual uploads to external servers.

6. Dark Web and Threat Intelligence Monitoring

  • Actively monitor threat actor channels and dark web leak sites for signs your organization is mentioned.
  • Track early indicators of compromise such as toolkits, breach chatter, or domain-specific targeting.

How Can SOCRadar Help?

The growing professionalism of these groups, especially Qilin’s ability to offer legal guidance and customized payloads, raises the stakes for all organizations. As smaller groups like Arkana look to affiliate with giants like Qilin, defenders need to stay ahead with proactive detection and response.

SOCRadar provides end-to-end support for organizations facing threats like these:

SOCRadar’s Dark Web Monitoring

SOCRadar’s Dark Web Monitoring

 

  • Threat Intelligence Feeds: Get real-time alerts on emerging ransomware groups, new IOCs, and malware signatures.
  • Attack Surface Management: Discover exposed services, vulnerable assets, and stolen credentials before attackers exploit them.
SOCRadar’s Attack Surface Management

SOCRadar’s Attack Surface Management

  • Digital Risk Protection: SOCRadar helps you manage ransomware risk with visibility across surface, deep, and dark web ecosystems.