Ransomware Intelligence

sarcoma

Ransomware group profile

32Victims
UzbekistanSource country
51Impact score

Description

Sarcoma is a financially motivated ransomware group that emerged in late 2023, quickly establishing itself as a significant threat in the cybercrime landscape. Operating under a Ransomware-as-a-Service model, it employs a double extortion strategy, encrypting and exfiltrating sensitive data to compel victims to pay ransoms. The group is recognized for using specific evasion techniques and actively developing targeted tools for various environments.

Key insights

  • Operates under a Ransomware-as-a-Service (RaaS) model with a limited partner network.
  • Utilizes a double extortion strategy involving data encryption and sensitive information exfiltration.
  • Targets vulnerable internet-facing services, including Citrix, Fortinet, and Microsoft Exchange.
  • Employs intermittent file encryption and specific evasion techniques to avoid detection.
  • Impacts multiple operating systems including Windows, Linux, and ESXi hosts.
  • Uses targeted phishing campaigns and exploits weak RDP configurations for initial access.
  • Drops unique ransom notes typically named 'FAIL_STATE_NOTIFICATION.pdf' post-encryption.

Industries

EducationEnergy & UtilitiesFinancial ServicesGovernment & DefenseHealthcareHospitalityManufacturingOtherProfessional ServicesRetail & E-CommerceTechnologyTransportation

Threat Level & Status Breakdown

For sarcoma · Based on incidents in selected period

5.7threat level
Aggressiveness5/ 10
Lethality4.8/ 10
Criticality7.4/ 10

Status Breakdown

Data Leaked96.9%31
Claimed3.1%1
First seenJun 2025
Last seenMar 2026
Avg ransom
Payment rate
Statusactive
Sophistication0
Last updatedJun 2, 2026

Recent activity

Monthly attack count for sarcoma in the selected period

32Total attacks
8peak in Sep
4avg / month
↓ 5 vs first month
JunJulAugSepOctNovJanMar02468

Intelligence

IOCs, YARA/Sigma rules, and related families for sarcoma

  1. 6b249c9bffd3698a3033a4110e387a711c488154
  2. 6033476be3d1d41166b65984e2be94c87ac98dce55bfec887e932b696e859295
  3. f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
  4. 000008f6750082ab37f16c85edba1de6e8cb43a97feb0499b93a81c77a7bfdfc
  5. a53a9ca8a074c7108f8412c3f8c1fc5d
  6. d158aeb2642e77e1e55088af1a707cbed0af6d370c798ba1b6cfabe28b4973f4
  7. 1c753406df70344364dbbdb9d33b0e84b3ec67b7cf43a4f829900f2716df71e0
  8. 77962a384d251f0aa8e3008a88f206d6cb1f7401c759c4614e3bfe865e3e985c
  9. 0000107a9b538d8d44b771b377ad0a28e82d379616a8afe0ebd47c0e252794b4
  10. 0000036652bafeea1f929c88ce8cc7c30ba8905cfd1927f3721f60e00271b2d8
  11. 000006002de77b481ca116d534b3e37b3b53259b5f7a5bdecf2be7ba3a64ded0
  12. 7dab3883ab5f8271ceb00987e25956e5367c4deae3b715f73ed3b0b3f6dde1f8
  13. 00000d8070c3c91fab99cb9885babe62a1b7f24d70330a4f9bd8315d198ca9e9
  14. 1695363b71f3c3dd060060a00fccb1d66eab54b2f80c052b7e305a349d87f41b
  15. c7081b14619e0cfce711c1b589b5c7f092127def1cc13973ce9d8d8f7dc790cf
  16. 00000dd33911d68bdb2ec911da9cddeeaed46b25607c1c1c6f647f2c146216cd
  17. 697d452f919269543c5d76987c85df2ee781122917a52263cbf5f194a99dd471
  18. e274bb4f56917448b60b833786eef506adb3ec8cac92b0a8a7dd2611cf98c729
  19. 46502a8424b40bba57307ba6b96757cc9981975e43c4b58f883f1eeb56e4182f
  20. 431c0b50a96df6df7e13c738b0e965e23164df83
  21. 61af475e11e4e79e6a11e761fcb540d9c5eec0e9
  22. 4e826b8e65f7a81ee0c30836f132632054f338e7
  23. 3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab
  24. 6ee4305ccd42970acad7f00bb9aafd0b4be246be
  25. d520d06d78afcad2e03842cb8db4622d18b92739e89dfb8dadf5743f30dcd903
  26. 1e50aec5b08b7d023abe19ae1ea80e3ea9af7aebbb01b42bccee91790788ddfd
  27. 2e4d8caa6815c3231776dc25cc5ee742
  28. 7007cf53bcd0083baba202d8ac2d9070
  29. bf0bfada1af2f979d3c847ad1cb50c95eff74928
  30. 5fe21c33017797224f4e6525784961e2705a355eea4e4d84ae037a3d0504e91a
  31. bad8840c7ab063cb8bb89e6ae2240d6654fb6593
  32. 000006ff145790bb8ec83e6ee785ae629cdb149ff16713ca3f130ac7a865ea8d
  33. 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
  34. 7f303ee77019db4b8a4e7b89143621fbb2e1b1a9d8ed6b610259c49f6d20461c
  35. 00001d52b429812763a34c85ddfd51bd169d8a7a06653aa9629bd8f847052813
  36. 88f3519fba56b267526662b19fc5896fb0b34bb18f54d69b1bede3f26a1bc8b9
  37. e75e5778e71e062ce4a7af673f0b2513854d2367fee0f01a26c0c998863bdf6e
  38. 00000f4d3d1c88b7d7028fcdcb58e801eb8d157a383fb5c03da48ceda2df8a2f
  39. a98dcdee82f6066a4cf2f9d7d161a1bacec8f81d
  40. 937216d5260f3e76138be16831052b04c710e15d91756124d8d6755d2766ff4b
  41. b1bf1b8af493a4e34684172f9be1ab40a0c4bab5bc4f6ca92cae51de83fcaff2
  42. b9e009fe335c7af0cad02f436a32b771
View full IOC feed500 total

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for sarcoma

Other

T1486

T1486

T1490

T1490

T1078

T1078

T1566

T1566

T1190

T1190

T1195

T1195

T1021.001

T1021.001

T1562

T1562

T1059

T1059

T1547

T1547

Victims(32)

CompanyDomainCountryIndustryStatusDiscovered
GYFAR ArgentinaFinancial Services
Claimed
2 months ago
Propane Levac Inc.propanelevac.caCA CanadaEnergy & Utilities
Data Leaked
4 months ago
MecMaticamecmatica.itIT ItalyTechnology
Data Leaked
4 months ago
Söllnersoellner.deDE GermanyOther
Data Leaked
7 months ago
B&J Rocket Salesbj-rocket.comCH SwitzerlandManufacturing
Data Leaked
7 months ago
Paul Hildebrandthildebrandt.deDE GermanyManufacturing
Data Leaked
7 months ago
Unimed do BrasilBR BrazilHealthcare
Data Leaked
8 months ago
Charter Industrial Supplycharterindustrial.comUS United StatesManufacturing
Data Leaked
8 months ago
MSBUS United StatesOther
Data Leaked
8 months ago
MACMA Werbeartikel oHGmacma.deDE GermanyProfessional Services
Data Leaked
8 months ago
Thermofinthermofin.deCA CanadaManufacturing
Data Leaked
8 months ago
Miami Managementmiamimanagement.comUS United StatesProfessional Services
Data Leaked
8 months ago
IAD GmbHDE GermanyEducation
Data Leaked
9 months ago
KwgDE GermanyProfessional Services
Data Leaked
9 months ago
Pfullendorfer Tor-Systemepfullendorfer.deDE GermanyManufacturing
Data Leaked
9 months ago
F1-Generationf1-generation.comCH SwitzerlandRetail & E-Commerce
Data Leaked
9 months ago
Inox Laghiinoxlaghi.comIT ItalyManufacturing
Data Leaked
9 months ago
Maselli Misure S.p.A. Informationmaselli.comIT ItalyTechnology
Data Leaked
10 months ago
Harinera del Vallehv.com.coCO ColombiaOther
Data Leaked
10 months ago
Metro Heatingmetrohvac.netUS United StatesManufacturing
Data Leaked
10 months ago

Page 1 of 2

Affected countries(41)

Countries where this group has been reported to target or leak victims.

🇦🇪United Arab Emirates🇦🇷Argentina🇦🇹Austria🇦🇺Australia🇧🇩Bangladesh🇧🇪Belgium🇧🇬BulgariaBolivia, Plurinational State of🇧🇷Brazil🇨🇦Canada🇨🇭Switzerland🇨🇴Colombia🇩🇪Germany🇩🇴Dominican Republic🇪🇸Spain🇫🇷France🇬🇧United Kingdom🇮🇩Indonesia🇮🇹Italy🇯🇵JapanKorea, Republic of🇰🇼Kuwait🇱🇻Latvia🇲🇽Mexico🇲🇾Malaysia🇳🇴Norway🇳🇿New Zealand🇴🇲Oman🇵🇪Peru🇵🇭Philippines🇵🇰Pakistan🇵🇱Poland🇶🇦QatarRussian Federation🇸🇦Saudi Arabia🇸🇪Sweden🇸🇬SingaporeTaiwan, Province of China🇺🇸United States🇾🇪Yemen🇿🇦South Africa