Arcus Media Ransomware Displays Novel Process Targeting, Selective Encryption and Recovery Disruption
Arcus Media ransomware demonstrates advanced capabilities designed to maximize disruption and hinder recovery efforts, elevating privileges when administrative access is unavailable and employing registry-based persistence mechanisms.
It targets and terminates business-critical processes, including SQL servers and email clients. It deletes shadow backups, disables system recovery, and clears event logs, ensuring victims face significant operational and data recovery challenges.
Executive Summary
- Execution, Privilege Escalation, Persistence: Arcus Media ransomware operates without parameters and elevates privileges using the ShellExecuteExW API if administrative access is unavailable and attempts registry-based persistence.
- Targeted Process Termination: Terminates key business-critical processes (e.g., SQL servers, email clients, office tools) to maximize impact, leveraging the CreateToolhelp32Snapshot API.
- Unique Encryption: Encrypts files using the ChaCha20 cipher, with RSA-2048 protecting keys. Implements partial encryption for larger files (>2 MiB) and appends [Encrypted].Arcus to encrypted files.
Recovery Disruption: Deletes backup shadow copies, disables system recovery, and clears event logs using commands like vssadmin, delete shadows, and wevtutil cl Security to thwart restoration efforts.
About Arcus Media
The Arcus Media ransomware group first emerged in May 2024, rapidly becoming a formidable threat operating under a Ransomware-as-a-Service (RaaS) model. By November 2024, Arcus Media had claimed responsibility for over 50 attacks across industries such as business services, retail, and media. High-profile incidents, including attacks against Braz Assessoria Contábil and FILSCAP.
The group has been observed leveraging a variety of well-known ransomware TTPs, and initial access is typically achieved through phishing emails containing malicious attachments or links, which deliver the ransomware payload when opened.
Once inside, attackers deploy obfuscated malicious scripts and custom binaries to execute the ransomware, initiating file encryption. They maintain persistence by creating scheduled tasks and modifying registry settings, ensuring the malware remains active even after system reboots.
Arcus Media uses tools like Mimikatz for credential dumping, granting them elevated privileges within the victim network. They also evade defenses by employing obfuscation, encryption, and disabling security software.
To expand their reach, the group conducts network reconnaissance, scans for vulnerabilities, and employs brute force attacks on accounts with weak passwords. Lateral movement is facilitated through Remote Desktop Protocol (RDP) and tools like Cobalt Strike, enabling widespread deployment of ransomware across systems.
Before encryption, the group exfiltrates critical data via secure file transfer protocols, supporting their double-extortion tactics. Victims are threatened with public data leaks if ransom demands are unmet. Their encryption schemes employ two distinct modes based on the file size. They use the Chacha20 cipher, generating a unique 32-byte key for each encrypted file, which is then encrypted with RSA-2048.
Command and control (C2) operations rely on TOR and encrypted channels, ensuring stealthy communication. Arcus Media’s relentless tactics highlight the growing sophistication of modern ransomware groups, making them a significant cybersecurity adversary. Given the group’s typical mechanisms for performing ransomware operations, the key message for defenders is that ransomware does not need to be novel for success.
Ransomware Payload Behavior Analysis
Execution
Arcus Media ransomware can execute without any parameters or command-line arguments. It runs correctly either by double-clicking or launching it directly from the command line.
Privilege Escalation
Upon execution, it first checks whether the current process has administrative privileges by verifying if the process token is a member of the local Administrator's group. If administrative privileges are not present, it will re-execute itself using the ShellExecuteExW API with elevated privileges via the "runas" verb.
Process Termination
Process termination involves enumerating the currently running processes via the CreateToolhelp32Snapshot API, comparing each process name to a predefined list of target processes, and terminating any process identified on the list using the TerminateProcess API.
Process Name List to Terminate:
File Selection/Enumeration
File search begins at the root of every available drive on the system. The GetLogicalDrives API is used to retrieve all available drives on the system.
It includes a hardcoded list of directories and filenames that it skips during file search. Any directories and files not on the exclusion list will be encrypted.
Excluded Directories:
Excluded File Names:
Excluded File Extensions:
When a file is located, it initially verifies read and delete access by opening the file with the CreateFileW API, specifying the desired access as GENERIC_READ | DELETE. If it lacks read and delete access, the file will be skipped as well.
File Encryption
Arcus Media utilizes the OpenSSL library for encryption, employing the Chacha20 cipher to encrypt files. The attacker’s symmetric key is encrypted using RSA-2048 and appended to each encrypted file's footer.
The encrypted file will be renamed by appending the following file extension:
[Encrypted].ArcusArcus Media operates with two distinct modes of file encryption:
- Full
- Partial
The file encryption mode is based on the size of the target file.
Footer Information
Extortion Notifications
In each traversed directory, it drops a ransomware note with the following file name.
Arcus-ReadMe.txtRansomware Note:
<<<< You Have Been Compromised >>>>
All Of Your Sensitive Data Encrypted And Downloaded.
In Order to Keep Your Sensitive Data Safe And Recover Files You Have to Contact Us.
Download tox chat : https://tox.chat/download.html
Add And Message Us on :
<redacted>
In case No Answer in 24h Mail to : <redacted>
in case you don't contact in 3 Days You Will Posted In our LeakBlog ,
News about this Hack will ruin your reputation,
After 5 days ALL your Sensitive DATA (Customers Confidential Data, Company Finance, Contracts, etc ..) will Published into LeakBlog,
you will face with GDPR and your own Customers , The People affected will get mail from us about this hack and how their Confidential Data is not Safe anymore.
You can download TOR browser and take look at our blog :
<redacted>
Don't panic , Your Case will resolved as soon you contact us and you can back to work as before .
We hope you Consider Risk of Data Exposure.
>>> WARNING :
1. DO NOT MODIFY ENCRYPTED DATA YOURSELF OR USE THIRD PARTY , IT MAY DAMAGE DATA AND LEAD TO PERMANENT DATA LOSS .
2. DO NOT STOP ENCRYPTION PROCESS , IT MAY DAMAGE DATA AND LEAD TO PERMANENT DATA LOSS .Backup Disruptions
Before file encryption process, Arcus Media will delete all shadow copies and disable automatic system recovery by executing system commands in the following sequence:
vssadmin delete shadows /all /quiet
wmic shadowcopy delete
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
Persistence
Arcus Media will copy itself to the following path.
C:\ProgramData\svccost.exeIt then tries to establish persistence by adding an auto-start entry to the to the specified registry location below.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name – “cr”
Type – REG_SZ
Data - C:\ProgramData\svccost.exeHowever, there seems to be a bug when creating the auto-start entry in the registry. The RegSetValueExW (Unicode) API is used, but the data being set is in plain ASCII (char) string format.
As a result, the registry entry appears like this:
System Modifications
It turns off the Windows Firewall and Security event log by executing the following system commands in sequence.
netsh advfirewall set currentprofile state off
netsh firewall set opmode mode=disable
wevtutil cl SecurityConclusion
Arcus Media ransomware represents a formidable and evolving threat in the cybersecurity landscape. Its ability to disrupt critical processes, selectively encrypt files based on size, and disable recovery mechanisms demonstrates a deliberate and highly technical approach designed to maximize impact and pressure victims into compliance.
The combination of advanced encryption techniques, targeted process termination, and persistent disruption ensures a high level of operational success while complicating defensive efforts. Furthermore, its reliance on extortion through data leaks adds another layer of coercion, making it a significant challenge for organizations to defend against.
Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.
Related Posts
.jpg)
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!