Arcus Media Ransomware Strikes: Files Locked, Backups Erased, and Remote Access Disabled

The cybersecurity landscape faces increasing challenges as Arcus Media ransomware emerges as a highly sophisticated threat.

This Ransomware-as-a-Service (RaaS) operation, first observed in May 2024, has rapidly evolved, executing coordinated attacks that disrupt critical processes, encrypt data, and hinder recovery efforts.

With more than 50 major attacks claimed across industries, Arcus Media demonstrates the growing technological prowess of cybercriminal groups.

Process Termination

Arcus Media ransomware employs advanced techniques to achieve privilege escalation and disrupt key business operations.

Upon execution, the malware checks for administrative privileges using the ShellExecuteExW API.

If privileges are insufficient, it re-executes itself with elevated permissions.

The malware also implements persistence mechanisms, modifying the Windows registry to ensure it relaunches after system reboots, though a coding bug partially limits its effectiveness.

A core feature of the malware is its ability to terminate business-critical applications, such as SQL servers, email clients (e.g., Outlook and Thunderbird), and office tools (e.g., Word and Excel).

It does this through the CreateToolhelp32Snapshot and TerminateProcess APIs, rendering core services inoperable.

These disruptions amplify operational damage and complicate recovery efforts.

Selective Encryption

Arcus Media uses the ChaCha20 encryption algorithm combined with RSA-2048 to secure encryption keys, ensuring files remain inaccessible without the attacker’s decryption tools.

The ransomware employs a dual encryption strategy based on file size.

Smaller files undergo full encryption, while larger files (>2 MiB) are partially encrypted, targeting the first and last 1 MiB of content.

Encrypted files are renamed with the extension [Encrypted].Arcus, and a hardcoded footer containing encryption metadata is appended.

Prior to encryption, Arcus Media exfiltrates sensitive data using secure file transfer protocols, enabling double-extortion tactics.

Victims are pressured to pay a ransom not only to regain access to files but also to prevent their data from being leaked publicly.

The ransomware takes deliberate steps to obstruct recovery mechanisms.

It deletes shadow copies, disables system recovery, and clears security event logs through commands such as vssadmin delete shadows and wevtutil cl Security.

These measures ensure that traditional restoration techniques, including backup-based recovery, are ineffective.

To further secure its foothold, Arcus Media disables firewalls and modifies system configurations.

According to the Halcyon report, it achieves persistence by copying itself to the ProgramData directory and attempting to add auto-start registry keys.

However, an implementation error causes the registry entry to be improperly formatted.

Victims are presented with ransom notes titled Arcus-ReadMe.txt, threatening public exposure of exfiltrated data if payment is delayed.

The group communicates via encrypted platforms, including TOR and Tox Chat, ensuring anonymity.

Failure to resolve the ransom demand within specified timelines results in escalating penalties, including public data leaks and reputational harm.

Arcus Media’s operational model illustrates the increasing threat of ransomware in modern cybersecurity.

By combining advanced privilege escalation, selective encryption approaches, and effective recovery disruption, Arcus Media represents a formidable challenge for organizations.

Its reliance on double-extortion tactics and persistent operational disruption highlights the urgent need for proactive defense strategies.

Cybersecurity experts emphasize that even non-novel ransomware techniques, when executed with precision, can create significant havoc.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free