Ransomware continues to evolve as one of today’s most formidable cyber threats. Cybercriminals continue to refine their tactics to inflict the most damage possible and, ultimately, increase the likelihood of a ransom payment.
Over the past decade, specialized ransomware groups have shifted their approaches to move beyond “spray-and-pray” attempts at mass infections to highly targeted, more sophisticated techniques to put more pressure on their victims.
One of the latest threats is posed by Arcus Media, a ransomware group first identified in May 2024. In less than a year’s time, Arcus Media has been connected to more than 50 serious cyberattacks affecting companies in the business services, retail, and media industries. The group’s signature approach involves selective file encryption, the disruption of critical business processes, and aggressive tactics to prevent recovery.
“Arcus Media is an emerging ransomware group making waves with its highly disruptive and strategic attack methods,” said Anthony M. Freed, Director of Research and Comms at Halcyon. “This threat actor demonstrates a clear focus on maximizing operational impact, from targeting critical business processes to rendering recovery efforts nearly impossible. Arcus Media’s combination of sophisticated encryption techniques, persistence mechanisms, and methods to erase recovery options showcases a deep understanding of how to cripple victim organizations to maximize potential profits.”
Halcyon’s latest research on Arcus Media provides an in-depth analysis of Arcus Media’s evolving tactics as well as the group’s operational playbook. Halcyon’s report also describes the larger implications related to traditional cybersecurity defenses and recommends urgent action as companies attempt to keep pace with these new ransomware threats.
The Rise of Arcus Media
Arcus Media first emerged in May of 2024, but the group has quickly adapted its tactics to become a major ransomware threat. The following is a timeline of Arcus Media’s most notable activities:
- May 2024: The group rose to prominence after conducting some of its first attacks on the business services industry using selective encryption techniques.
- July 2024: Arcus Media developed new tactics and expanded its approach into the retail and media industries. In these cases, the group focused on using data leaks to pressure victims into paying their ransom.
- September 2024: Emboldened by early successes, Arcus Media began to use advanced anti-forensic efforts, including log wiping and shadow backup deletion, making their campaigns extremely difficult to detect.
- November 2024: The group orchestrated high-profile attacks on Braz Assessoria Contábil and the Filipino Society of Composers, Authors, and Publishers (FILSCAP) that targeted highly sensitive financial and intellectual property data.
- January 2025: Arcus Media has already committed more than 50 attacks, a number that Halcyon warns will only increase in the year ahead.
With a constantly evolving playbook and a growing list of victims, Arcus Media has clearly demonstrated just how successful its ransomware tactics can be.
High-Profile Incidents and Their Implications
In the case of the Braz Assessoria Contábil attack, Arcus Media successfully infiltrated the Brazilian accounting firm, and once in, encrypted sensitive financial data and brought important operations and client services to a halt. Arcus Media hackers demanded a hefty ransom in cryptocurrency and threatened to release confidential tax and payroll records if its demands weren’t met.
While specific details weren’t released, this attack clearly demonstrated Arcus Media’s impressive capabilities in crippling today’s financial service providers and increasing the pressure to meet their ransom demands.
Then, in November 2024, Arcus Media hit FILSCAP with a ransomware attack that targeted the organization’s copyright and royalty data. The group first encrypted intellectual property, financial records, and operational data and then used double extortion tactics by threatening to leak confidential agreements and other information as well as demanding payment.
This left FILSCAP in a difficult position where paying might restore access to their data and prevent a data leak, but there was no way of knowing if the hackers would release the data anyway. Similar to the Braz Assessoria Contábil case, we don’t know if FILSCAP paid the ransom. Yet this attack raised new concerns about the overall security of intellectual property and the ransomware group’s growing interest in the entertainment industry.
A Closer Look at Arcus Media’s Technical Arsenal
Arcus Media uses a highly targeted, comprehensive approach that causes maximum disruption before encryption begins. Its arsenal of techniques includes process termination, selective encryption, and recovery disruption – leaving companies with little to no options for restoring their systems and increasing the pressure to pay the ransom.
Process Targeting and Termination
In order to do this, Arcus Media identifies and terminates critical processes. The group specifically focuses on SQL servers to disrupt access to databases, email clients to thwart communications, and backup and security tools to block recovery efforts.
Using Windows APIs like CreateToolhelp32Snapshot, Arcus Media’s ransomware enumerates running processes and then executes TerminateProcess to force them to stop. This approach ensures that targeted applications can’t restart to maximize overall damage before encryption begins.
Selective File Encryption
Instead of encrypting entire drives indiscriminately, Arcus Media employs a more strategic approach to optimize speed and efficiency. The group uses the ChaCha20 cipher for fast, secure encryption, with RSA-2048 to protect encryption keys. Large files are only partially encrypted to maintain speed while still rendering them unusable, whereas smaller files undergo full encryption to ensure complete data loss.
This method reduces the risk of detection and increases the overall impact. In many cases, the ransom payment is the only viable option for many victims.
Recovery Disruption
To prevent restoration efforts, Arcus Media aggressively wipes recovery options using built-in Windows tools. It deletes shadow backups, disables system recovery, and clears event logs. By eliminating backups and erasing forensic traces, Arcus Media leaves victims without an easy path to data recovery, further increasing the pressure to pay the ransom.
Defensive Implications
Arcus Media’s sophisticated tactics present a significant challenge to companies trying to maintain their cyber defenses. Their strategies – and successes – now force organizations to rethink traditional ransomware defenses and adopt new approaches to cybersecurity.
Proactive ransomware prevention is a crucial first step. This includes the combination of endpoint detection solutions, employee training programs, and backup systems that are isolated from network environments. Additionally, rapid response and recovery protocols must be created to mitigate the operational impact of a successful ransomware attack.
Halcyon’s research reinforces these points and highlights the need for advanced, multi-layered cybersecurity defenses. The broader implications are clear: Cybersecurity strategies must adapt to increasingly complex and targeted ransomware threats. Investing in the tools that combine prevention, detection, and rapid recovery will be vital in successfully defending against today’s evolving threat landscape.
Strengthening Defenses Against Ransomware
As ransomware actors continue to refine their extortion strategies, companies must do all they can to remain vigilant, proactive, and well-prepared to minimize the risks posed by threat actors and ransomware specialists such as Arcus Media.
Ransomware groups like Arcus Media demonstrate the urgency of investing in advanced cybersecurity defenses. Organizations must adopt proactive measures to defend against these sophisticated attacks and ensure they can recover quickly if compromised. Now is the time to act and strengthen defenses – before it’s too late.
