Sarcoma Ransomware Group
- securedmonk
- 3 days ago
- 12 min read
Sarcoma is a criminal ransomware group that breaks into company networks, steals sensitive data, encrypts all the files so the business cannot operate, and then demands a payment to restore access. If the company refuses to pay, Sarcoma publishes the stolen data on a public dark web website for anyone to download -including competitors, journalists, and regulators.
The group first appeared in October 2024 and immediately became one of the most active ransomware gangs in the world. In just one week -between October 9 and 15, 2024 -Sarcoma was responsible for 20% of all reported ransomware attacks globally. That kind of instant scale does not happen by accident. It tells security researchers that the people running Sarcoma had done this before, under a different name.
The strongest theory is that Sarcoma is a rebranded version of earlier groups called Maze and Egregor. Both were taken down by law enforcement -Maze in 2020 and Egregor in 2021. The people behind them appear to have spent about three years staying quiet and rebuilding before launching again as Sarcoma in 2024. Technical analysis of Sarcoma's malware code shows similarities to both earlier groups, which supports this theory.
By mid-2025, Sarcoma had confirmed victims in more than thirteen countries and was demanding ransoms of over one million US dollars from large organisations. As of early 2026, no government has issued a formal warning about the group, and no law enforcement agency has taken any public action against it. It is fully operational and growing.
116+ Confirmed Victims through mid-2025 | $1M+ Peak Ransom Demand per enterprise target | 20% Of all global ransomware victims in Week 1 |
Who Do They Target?
Sarcoma is not picky about industry. Their victim list includes manufacturing companies, healthcare providers, legal firms, retailers, construction businesses, gas distributors, software companies, and more. What these organisations tend to have in common is that they hold sensitive data -customer records, financial files, medical information, or proprietary business data -and they are not large enough to have enterprise-grade security teams watching their networks around the clock.
The sweet spot for Sarcoma is mid-market companies: businesses with annual revenues roughly between one million and ten million US dollars. These companies are big enough to hold genuinely valuable data and to pay a meaningful ransom, but small enough to lack the security investment of large corporations.
Geographically, the United States is by far the most targeted country, accounting for around half of all confirmed Sarcoma incidents. Australia, Canada, Germany, Italy, the United Kingdom, Japan, and Spain have also been hit significantly. The spread of victims in the portal screenshots captured here -Argentina, Canada, Italy, Germany, Brazil -across a single page illustrates how the group targets globally rather than focusing on one region.
One geographic area Sarcoma deliberately avoids is the former Soviet Union -specifically countries in the Commonwealth of Independent States (CIS). The group's malware is programmed to check the system's location settings and stop itself from running if it detects a CIS country. This kind of built-in avoidance is a well-known signal in ransomware research: groups that do this are almost always based in Russia or nearby countries, and they avoid attacking locally to reduce the chance of domestic law enforcement taking interest in them.
The Dark Web Leak Portal - How the Pressure Works
Sarcoma operates one of the most professionally designed victim-shaming websites in the ransomware world. It lives on the dark web -accessible only through the TOR anonymity network -and displays a grid of company cards, each showing the targeted organisation's own logo, website, industry, country, and a counter showing how many times that listing has been viewed.
Those view counters are a weapon in themselves. In the screenshot captured below, individual listings show between six thousand and thirty-seven thousand views. When a company representative sees that their breach has been viewed tens of thousands of times, the message is clear: data buyers, journalists, regulators, and competitors have already seen it. Every day of delay means more eyes on the breach.
Fig 1 -Sarcoma's dark web leak portal The Sarcoma portal shows victim company logos, industry, country, and a view counter for each listing. High view counts signal to victims that their breach is being watched by a large audience -including potential data buyers.
The process works like this. After stealing and encrypting a company's data, Sarcoma privately contacts the victim with a ransom demand and a deadline -usually accompanied by a countdown timer. If the company does not pay or engage seriously in negotiation, Sarcoma adds them to the public portal. Initially the listing shows only a company description and some sample documents as proof that the theft is real. As the deadline approaches, more sample files are released. When the timer runs out, the full stolen archive is published with a download link.
The sample documents used as proof are chosen deliberately to be as alarming as possible. The listing for Propane Levac Inc. -a Canadian propane distributor serving Ontario and Quebec -includes a scanned invoice showing customer addresses, internal transaction numbers, and Canadian tax registration details. This is not just evidence that the theft occurred. It demonstrates to any potential data buyer that the stolen archive contains real, usable business documents.
Fig 2 Victim detail (Canada) The Victim's listing shows a 45 GB stolen archive, a TOR download link, and a scanned invoice as proof-of-breach. The document exposes transaction records, customer data, and tax registration numbers -making clear that the stolen data is genuine and sensitive.
The download links on Sarcoma's portal point to servers the group controls directly, not third-party file-sharing sites. This matters because it gives Sarcoma the ability to switch the link off during negotiations as a goodwill gesture -and switch it back on if talks break down. The group maintains complete control over the pressure at every stage.
How a Sarcoma Attack Works -Step by Step
Understanding the attack sequence is important because it shows where defenders have the best opportunity to stop the damage. The key insight is that Sarcoma steals data before encrypting anything. This means that by the time a company discovers the ransomware and the encrypted files, the extortion leverage -the stolen data -is already sitting on Sarcoma's servers. The attack table below walks through each step in plain language.
Attack Phase | What It Means | What Sarcoma Actually Does |
Step 1 Getting In | How they enter | Sarcoma gets inside a company in one of three ways. The most common is a phishing email -a message that tricks an employee into opening a malicious attachment or clicking a link that steals their login credentials. The second method is exploiting a software vulnerability in a company's internet-facing systems, such as a VPN or web application, before the IT team has had a chance to apply a security patch. The third is the most dangerous: attacking a Managed Service Provider (IT company) and using that access to hop into all of the MSP's clients at once. |
Step 2 Staying Hidden | How they go undetected | Once inside, Sarcoma does not announce itself. Operators spend days or even weeks quietly exploring the network, mapping out where the important data lives. They use legitimate IT tools -the same remote management software a company's own IT team would use -so their activity looks like normal IT work to any monitoring system. They also create hidden back doors so they can return even if their initial entry point is discovered and closed. |
Step 3 Grabbing Passwords | How they get admin access | To move freely across the whole company network, Sarcoma needs administrator-level passwords. They get these by extracting credentials stored in Windows memory -a technique that targets a Windows process called LSASS. With those high-level passwords in hand, the group can log into any server or system in the organisation as if they were a trusted administrator. |
Step 4 Spreading Across the Network | How they reach every system | Armed with admin credentials, the attackers move from machine to machine using tools that Windows provides legitimately -Remote Desktop, file sharing, and remote execution utilities. They are specifically looking for the most sensitive data stores: finance systems, HR databases, customer records, legal files, and backup servers. They build a complete map of the organisation's data landscape before taking any destructive action. |
Step 5 Stealing the Data | The critical phase -before encryption | This is the step that defines Sarcoma's entire strategy. Before doing anything visible, the group copies all the valuable data and sends it to servers they control. They use file transfer tools such as Rclone, WinSCP, and cURL to upload compressed archives of stolen files -HR records, financial statements, client databases, internal contracts, and any password files. For a mid-sized company, this theft can reach tens of gigabytes. The Propane Levac breach documented in the portal was 45 GB. The data is now Sarcoma's leverage regardless of what happens next. |
Step 6 Encrypting the Files | The attack becomes visible | Only after the data theft is complete does Sarcoma deploy the ransomware. Files across the organisation are encrypted and become unreadable. The encryption is fast and runs on multiple threads simultaneously. Critically, it skips the files Windows needs to keep running -so the company can still turn on their computers and read the ransom note. Sarcoma also targets VMware virtualisation servers, which means entire collections of virtual machines can be encrypted in one operation, taking down dozens of systems at once. |
Step 7 Pressure and Negotiation | How they force payment | The ransom note directs the victim to a private negotiation site on the dark web. If the company does not respond or refuses to pay, Sarcoma lists them publicly on their leak portal. The company's logo, website, and industry are displayed for anyone to see, with a countdown timer. Sample stolen documents are published as proof. Once the deadline passes, the full archive goes live -exposing the company to customers, regulators, and media. Even if the company eventually pays, the listing may remain visible as a warning to others. |
The most important thing to understand from this sequence is Step 5 -the data theft. This is the moment that defines whether a company faces simple ransomware recovery or a full double extortion situation. If the theft goes undetected, which it typically does, then restoring from backup does not solve the problem. The data is gone. The company still faces the choice of paying to prevent publication or accepting that the stolen files will be released publicly.
Technical Mapping -MITRE ATT&CK Framework
The MITRE ATT&CK framework is a standard reference used by security teams to describe and track attacker behaviour. The table below maps each phase of a Sarcoma attack to the relevant MITRE technique, along with a plain-language description of what Sarcoma is actually doing at that stage.
Tactic | Technique ID | What Sarcoma Does |
Initial Access | T1566 / T1190 | Phishing emails and exploiting unpatched internet-facing apps (VPN, web portals) |
Execution | T1059.001 | PowerShell commands run in hidden/encoded form to avoid detection |
Persistence | T1053 / T1547 | Scheduled tasks and registry entries so the malware survives reboots |
Privilege Escalation | T1003.001 | Dumping Windows LSASS memory to steal administrator passwords |
Defense Evasion | T1218 / T1562 | Using legitimate IT tools (RMM software) so traffic looks normal |
Lateral Movement | T1021.001 | Moving across the network via Remote Desktop using stolen credentials |
Exfiltration | T1567 / T1048 | Uploading stolen data using Rclone, WinSCP, and cURL before encryption |
Impact | T1486 | Encrypting files on Windows servers, Linux systems, and VMware hypervisors |
Real Victims -What the Breaches Look Like
Unimicron Technology -Taiwan
Unimicron is one of the world's largest manufacturers of printed circuit boards -the components that go inside almost every electronic device. In January 2025, Sarcoma attacked Unimicron's China-based subsidiary and claimed to have stolen 377 gigabytes of SQL database files and internal documents. Unimicron confirmed the attack publicly through a filing to the Taiwan Stock Exchange, making this one of the most high-profile confirmed Sarcoma incidents to date. The attack targeted a company whose products sit at the centre of global electronics supply chains, demonstrating that Sarcoma is not limiting itself to small or medium businesses.
Propane Levac Inc. -Canada
Propane Levac distributes propane across Ontario and Quebec for homes, businesses, and farms. Sarcoma stole 45 gigabytes of company files and published a scanned invoice as proof. By the time the portal listing was captured, over 21,000 people had viewed the breach entry on the dark web. The stolen documents include transaction records and customer data for what is a relatively small regional energy supplier -illustrating that Sarcoma will target any organisation with useful data, regardless of size or sector.
The Pattern Across All Victims
Looking at all the companies visible in the portal screenshots -from Argentina to Canada to Italy to Germany to Brazil -a consistent pattern emerges. Every organisation is a mid-market company. Every one holds sensitive data that would be damaging to expose. None appears to have had the network monitoring in place to catch the data theft before it was too late. The diversity of countries and industries is not a coincidence; it reflects a deliberate strategy of targeting organisations wherever access can be obtained, rather than specialising in a single sector or region.
Why Sarcoma Ransomware Group Is Hard to Detect and Stop
Designed to Evade Traditional Detection
Most cybersecurity systems look for obvious threats such as malware, unusual logins, or suspicious programs. Sarcoma deliberately avoids these signs by making its activity appear legitimate.
Abuse of Legitimate IT Tools
Sarcoma uses standard remote IT management tools for communication with infected systems. Since these tools are normally used by IT teams, the activity appears routine, making it difficult for monitoring systems to identify anything suspicious.
Delayed Visible Damage
File encryption and ransom notes appear only after data theft has already occurred. By the time organizations notice the attack, sensitive data has often been stolen days or weeks earlier.
Slow and Methodical Movement
Instead of acting quickly and noisily, Sarcoma moves carefully through systems. This reduces failed logins, sudden network spikes, and other warning signs that automated security systems typically detect.
Hidden Critical Phase
The most damaging stage, data theft, happens quietly during reconnaissance and exfiltration, often unnoticed.
What Organisations Should Do
Defending against Sarcoma requires controls at each stage of the attack sequence. The most important investments are in preventing initial access, detecting data theft before encryption, and ensuring recovery is possible without paying the ransom. The table below sets out the key recommended actions in plain language.
What to Do | Why It Matters Against Sarcoma |
Turn on multi-factor authentication (MFA) | Make sure every login to company systems -especially VPN, email, and remote desktop -requires a second verification step. Stolen passwords alone will not be enough to get in. |
Keep software patched and up to date | Sarcoma specifically targets known vulnerabilities in VPN and web-facing software. Applying security patches quickly, especially for internet-exposed systems, closes the doors the group uses most often. |
Watch for unusual data transfers | Set up alerts for large amounts of data being sent outside the company network, especially to cloud storage services. Sarcoma steals data before encrypting -catching the theft early is the best chance to stop the attack before it escalates. |
Control who has admin access | Limit administrator privileges to the people and systems that genuinely need them. Regularly review which accounts have elevated permissions and revoke anything unnecessary. |
Keep backups offline and test them | Maintain backup copies of critical data that are disconnected from the main network. Test recovery from backup at least quarterly. Sarcoma encrypts everything it can reach -offline backups are the primary recovery mechanism. |
Audit your IT suppliers | Sarcoma attacks IT service providers to reach their clients. Review what access your managed IT vendors have to your systems and apply strict least-privilege policies to vendor accounts. |
Monitor the dark web | Use a threat intelligence service that will alert you if your organisation's data appears on Sarcoma's leak portal or other ransomware sites. Early warning gives you time to respond before regulators and customers find out first. |
Have a tested incident response plan | Prepare a clear plan for what to do if ransomware hits -who makes decisions, who communicates externally, and how to isolate infected systems quickly. Practice it at least once a year with a tabletop exercise. |
Of these controls, detecting the data exfiltration phase (Step 5 in the attack sequence) is the highest-priority action specifically against Sarcoma's double extortion model. Preventing encryption through good backups only solves half the problem if the data theft has already occurred. Monitoring for large unusual data transfers is the control that addresses the half that backups cannot fix.
Where This Group Is Heading
Sarcoma enters 2026 with no meaningful pressure from law enforcement and a growing victim list. The group has shown a consistent pattern of expanding its capabilities over time -adding the ability to attack Linux and VMware servers, refining its data theft tools, and increasing ransom demands as it builds a track record that makes victims take its threats seriously.
The most significant near-term risk is the group's reported use of zero-day vulnerabilities -security flaws that have not yet been discovered or patched by the software vendors. If Sarcoma has reliable access to zero-day exploits in commonly used business software, even organisations with strong patch management programmes become vulnerable. A zero-day attack requires no window of opportunity created by a delayed patch; it works on fully up-to-date systems.
Longer term, the broader trend in ransomware is toward using artificial intelligence to speed up the attack cycle. AI tools can automate the reconnaissance phase -scanning company networks, identifying the most valuable data, and finding weaknesses -faster than human operators. If Sarcoma incorporates these capabilities, the days-long window between initial access and encryption could shrink to hours, dramatically reducing the time available for defenders to detect and respond.
Rebranding is always possible. If law enforcement does eventually target Sarcoma's infrastructure, the same operators can shut down, rebuild, and re-emerge under a new name -as they appear to have done after Egregor was disrupted in 2021. This is why the most durable defence is not tracking the Sarcoma brand specifically, but understanding and detecting the underlying attack behaviours -because those will persist even if the name changes.
Indicators of Compromise(IOCs):
Confirmed Malware Hash
SHA256 6669cfeba5619b6f4d80b1281adfe69c87d845ebaaf9e83c25efa01a8267e751 — Windows executable, confirmed Sarcoma ransomware, statically linked CryptoPP library
Contact Infrastructure
Email: SarcomaGroup@onionmail[.]org
TOX ID: D7A5E0027572764BE600925712D079472FF950F954553FF07E823FF1D068C31292E5E5F31AE4
Key Takeaways
Not a Typical Ransomware Group
Sarcoma is not an amateur or newly formed cybercriminal group. It began operations with advanced infrastructure, technical expertise, and structured processes, suggesting it is likely a rebranded version of a previously active criminal organization.
Rapid Large-Scale Operations
Within its first week, Sarcoma demonstrated an operational scale that many ransomware groups never achieve throughout their entire lifespan. This rapid maturity makes it particularly dangerous.
Double Extortion Model
Sarcoma uses a double extortion strategy. Victims are pressured to pay not only to decrypt encrypted files but also to prevent stolen data from being publicly released.
Backups Do Not Solve Everything
Restoring files from backups only fixes system disruption. It does not address stolen data, which remains a major risk if attackers threaten public disclosure.
Stealthy Data Theft Techniques
The group focuses heavily on data exfiltration that appears normal. It uses legitimate tools and mimics regular user behavior, making detection difficult with traditional security methods.
Need for Data Monitoring
Effective defense requires monitoring outgoing data traffic rather than only tracking suspicious software or malware activity on individual systems.
Long-Term Consequences of Exposure
Once listed on Sarcoma’s leak portal, stolen data remains publicly accessible. This can lead to delayed regulatory investigations, legal consequences, and reputational damage long after the attack is resolved.
Comments