Dark Web Profile: Sarcoma Ransomware

Sarcoma ransomware group emerged in late 2024 and quickly launched aggressive double-extortion campaigns worldwide; Sarcoma’s fast-growing victim list and use of sophisticated techniques, including reported zero-day exploits, make it a serious cyber threat.

Who is Sarcoma Ransomware?

Sarcoma appeared in late 2024 as a financially driven ransomware group that combines data theft with system encryption to increase leverage during ransom negotiations. The operators routinely steal sensitive information before deploying encryption and then pressure victims with threats of public disclosure.

The group’s activity follows a Ransomware-as-a-Service (RaaS) model. Although some researchers argue it is not a fully traditional RaaS setup, there is general agreement that Sarcoma operates within this framework by collaborating with a limited number of trusted partners rather than running an open affiliate program.

Analysts have not tied Sarcoma to any specific nation-state, but operational patterns suggest that the group likely operates from Eastern Europe or nearby CIS regions. The malware shows avoidance behavior on systems located in CIS countries, which has led many experts to believe that the operators may be Russian-speaking or based in areas influenced by that language.

Sarcoma seems to execute tightly controlled campaigns managed by a compact core team that handles every stage from reconnaissance to extortion. That centralized approach provides operational discipline not often seen in new ransomware groups.

Technically, Sarcoma’s toolkit targets multiple environments. Researchers have observed variants capable of impacting Windows, Linux, and virtualized (ESXi) hosts. The operators frequently refine their tools to evade detection, suggesting active development and adaptability.

On its leak portal, the group invites access brokers, third parties, and insiders to cooperate for profit. This language presents cooperation as discreet and rewarding but mainly serves as a recruitment and trading mechanism for stolen data and access credentials.

What are Sarcoma Targets?

Sarcoma pursues clear commercial leverage: it targets organizations whose data both disrupts operations when encrypted and causes reputational or regulatory pain when leaked. That pragmatic calculus steers the group toward Western jurisdictions with plentiful corporate targets and toward sectors like manufacturing and technology where stolen design files, customer records or backup repositories deliver the most bargaining power.

Geographically, the group concentrates where corporate density and payout potential align. Public reporting shows the United States holds the largest share of listed victims, with countries such as Italy and Canada trailing. That distribution suggests Sarcoma prefers markets with abundant mid-market and larger firms and avoids regions that would complicate operations or increase local legal risk.

Sector-wise, manufacturing leads the list. Production blueprints, CAD files and operational data both halt output and carry commercial value, so hitting a factory produces immediate pressure. Technology and construction follow, where IP and project documents create similar leverage. Retail, agriculture and other data-rich industries also show up, and while healthcare appears less frequently in raw counts, breaches there carry outsized regulatory and reputational costs.

Victim profile skews pragmatic. Sarcoma often selects mid-market and larger organizations that hold valuable datasets but may lack the hardened incident response of global enterprises. Those firms can pay and they often feel the sting of public exposure more acutely. The group also exploits third-party relationships: a single compromised managed-service provider or vendor can cascade access to multiple downstream customers and multiply the group’s impact.

How does Sarcoma operate?

Sarcoma runs intrusions in clear phases. The group starts with quiet scoping and access, then works toward full domain reach, data theft, and finally heavy disruption through encryption and extortion.

Sarcoma ransomware modus operandi

Reconnaissance and Target Scoping

Before an intrusion, Sarcoma studies the target’s external footprint. Operators look for exposed services, weak authentication paths, and unmanaged internet-facing systems. They also review links to third parties such as managed service providers, cloud tenants, and key partners.

At the same time, they prepare or reuse supporting infrastructure. This can include domains for phishing, VPN endpoints, and hosting for payload delivery and data exfiltration. The goal in this stage is simple: understand which path into the network will be effective, quiet, and hard to spot.

Initial Access

Sarcoma then uses the weakest practical entry point each victim presents. They do not rely on a single method. Instead, they mix several well-known access vectors:

• Tailored phishing emails or messages that carry links or file attachments
• Stolen or purchased credentials used against VPN, SSO, web mail, or remote admin portals
• Exploitation of unpatched public-facing applications and services
• Pivots through already compromised third-party providers or partners

Operators usually prefer low-noise paths over loud scanning or brute force. Their aim is to blend into normal traffic patterns and avoid early detection.

Credential Theft, Privilege Escalation, and Lateral Movement

Once inside, Sarcoma focuses on turning a single foothold into broad control. They work to gain higher privileges and move sideways through the environment.

Typical actions include:

• Dumping credentials from memory, local stores, and directory services
• Reusing those accounts to reach domain controllers, backup servers, hypervisors, and file servers
• Using built-in remote administration tools such as RDP, SMB, PowerShell remoting, and enterprise management agents

They favor authenticated access and native tools. This makes their movement look similar to normal administrator activity and reduces the number of clear malware artifacts. By the time defenders spot unusual behavior, Sarcoma often already holds key accounts and central infrastructure.

Defense Evasion, Persistence, and Anti-Forensics

In parallel, Sarcoma spends time on staying hidden and hard to remove. The group leans heavily on “living off the land” and simple persistence mechanisms.

Observed patterns include:

• Using built-in system tools and scripts instead of obvious custom binaries
• Creating scheduled tasks, services, or registry entries to survive reboots
• Trying to disable or bypass endpoint security agents and logging components
• Running environment checks to detect sandboxes or analysis tools and then changing behavior
• Deleting or tampering with local backups, shadow copies, and restore points
• Cleaning or altering logs when they have time, to slow down incident response

These steps make quick recovery much harder and add friction to forensic work. Even when defenders respond fast, they face missing data and broken recovery paths.

Data Collection and Exfiltration

Before triggering encryption, Sarcoma invests in data theft. The intrusion shifts into a systematic collection and exfiltration phase designed to support double extortion.

The group:

• Locates file servers, collaboration platforms, mail stores, and databases with sensitive or regulated data
• Copies selected data sets to staging systems inside the network
• Compresses and often encrypts the staged data into large archives
• Transfers those archives to attacker-controlled infrastructure, often over common web protocols or cloud storage

Exfiltration usually runs over time, not in one large burst. Traffic may be throttled or scheduled to blend into normal usage patterns. Keeping full copies of stolen data is central to their leverage when they later negotiate.

Encryption and Impact on Operations

When Sarcoma is ready to maximize impact, they deploy ransomware across the environment. This stage aims to disrupt operations at scale while keeping systems alive enough for communication.

Key aspects of the encryptor:

• Fast, multi-threaded operation that targets endpoints, servers, and virtual machines
• Hybrid cryptography, using ChaCha20 for bulk file encryption and RSA to encrypt session keys
• A Windows variant written in C++ that uses native crypto libraries
• A Linux variant built in C or C++ that follows the same design
• Logic to skip some core system folders so devices can still boot and show ransom notes

The result is broad loss of access to business data, but with enough system function left for victims to read instructions and interact with the attackers.

Targeting Virtual Infrastructure and Recovery Paths

Sarcoma pays special attention to virtualized environments and backup workflows, where many organizations place their main recovery options.

In these environments, operators often:

• Delete or corrupt virtual machine snapshots
• Interfere with hypervisor-level backups and restore points
• Target backup servers and repositories and attempt to encrypt or wipe them

By damaging both live systems and their primary recovery paths, Sarcoma sharply reduces the chance of a quick rebuild. This increases pressure on victims that have not invested in isolated, immutable backup strategies.

Extortion and Pressure Campaign

After encryption and exfiltration, Sarcoma moves into a focused extortion phase. The goal is to turn both operational disruption and data theft into payment.

Their process typically includes:

• Publishing proof of data theft such as small file samples or screenshots
• Providing access to a private negotiation portal for each victim
• Setting short, strict deadlines for payment
• Escalating pressure by leaking more data over time and publicly naming victims who do not pay

This combination of downtime, exposure of sensitive data, and reputational risk creates strong leverage. Even organizations that can restore some systems still face the threat of public data release and follow-on legal or regulatory consequences.

Operational Hygiene and Targeting Controls

Throughout the campaign, Sarcoma applies basic operational security measures to protect its own activity and shape who it hits.

Their tooling and procedures:

• Perform runtime checks for certain languages, regions, or system profiles and avoid execution there
• Use packing and code changes between campaigns to evade static signatures
• Rotate infrastructure, file names, and deployment methods to break simple pattern matching

These habits make detection and tracking harder over time and allow Sarcoma to reuse the same overall playbook against many different victims with only minor adjustments.

Defending Against Sarcoma Ransomware

Because Sarcoma uses multiple, coordinated methods, defenses must be layered and proactive. No single control will stop every attack, but the following measures substantially reduce risk and limit impact.

Harden authentication and access: Enforce multi-factor authentication on all remote access and privileged accounts, including VPNs, RDP gateways and cloud consoles. Use strong, unique passwords, disable non-essential remote services and place any required ones behind VPNs or strict access controls with close login monitoring.

Keep systems patched and reduce exposure: Patch internet-facing systems quickly, with priority on VPN appliances, remote access gateways and web servers. When you cannot patch at once, reduce risk with tight firewall rules, WAF policies and restricted access lists.

Segment networks and enforce least privilege: Separate corporate, production and backup networks with VLANs and firewalls so attackers cannot move freely. Limit domain admin and other powerful accounts, and apply least privilege so one stolen credential does not expose the whole environment.

Detect early with behavior-based monitoring: Tune monitoring to catch signs of attack before encryption or data theft. Watch for unusual use of admin tools, sudden remote access software, spikes in archiving or file transfers, new scheduled tasks and odd login patterns or failures.

Strengthen endpoints and email defenses: Deploy endpoint detection and response to flag ransomware-like behavior, rapid file changes and credential dumping, and to block processes that try to kill security tools. Harden email with sandboxing, link rewriting, strong filters and regular phishing tests.

Maintain secure, tested backups: Follow the 3-2-1 backup rule, keep at least one backup copy offline or immutable and test restores often. Strong, isolated backups let you recover systems without paying ransom, even if you still face data leak risks.

Plan and rehearse incident response: Create an incident response plan with clear roles, decision points and communication paths. Run regular ransomware exercises, practice containment steps like network isolation and credential resets, and test business continuity for key systems.

Utilize Threat Intelligence and Dark Web monitoring: Subscribe to threat intelligence and Dark Web monitoring to spot indicators and early signs of leaked data. Focus on insights that map to behaviors you can log and block, and share key findings with peers and CERTs.

Improve third-party security and vendor oversight: Review supplier security, limit vendor access to what they need and require clear security controls in contracts. Reducing weak third-party access shrinks a common path into your network.

Train staff and reduce human risk:Keep staff trained on phishing and other social engineering tricks. Promote a culture of fast reporting when someone clicks a bad link or opens a strange file. Early and honest reporting can keep a minor mistake from turning into a full incident.

Putting these layers in place makes Sarcoma’s work harder and your recovery easier when an incident happens.

How Can SOCRadar Help?

To stay resilient against a group like Sarcoma, organizations must move beyond basic defenses and adopt an intelligence-led security posture. Start by assessing exposure and monitoring both internal and external risks. Use SOCRadar Labs – Dark Web Report for a quick, free check of whether your domain appears in underground spaces.

Continuously monitor underground forums, ransomware leak sites and Tor portals for mentions of your organization. Because Sarcoma publishes victim data to increase pressure, early detection of leaks matters for containment and response. SOCRadar’s Dark Web Monitoring keeps watch over those spaces and alerts you to emerging postings so you can act fast.

Identify and mitigate exposed services such as RDP, VPN endpoints and vulnerable web applications that ransomware actors frequently exploit for initial access. Proactive asset discovery reduces the chance of intrusion. That capability is available through SOCRadar’s Attack Surface Management, which helps map internet-facing assets and prioritize fixes.

Track your brand and digital footprint to detect impersonation, phishing campaigns or fraudulent domains that attackers use to trick employees and partners. Rapid detection of lookalike sites and credential-phishing infrastructure narrows the window for social-engineering attacks. Use SOCRadar’s Digital Risk Protection to spot these threats early.

Sarcoma’s rapid rise shows how quickly a new ransomware operation can disrupt industries. With SOCRadar’s Ransomware Intelligence module, defenders gain updated IoCs, YARA rules and contextual analysis that translate alerts into action. Combine these insights with active monitoring and attack surface reduction to detect, investigate and respond before an incident escalates.

MITRE ATT&CK TTPs of Sarcoma Ransomware