Table of Contents
A sophisticated actor known as Sarcoma ransomware has emerged, operating with a level of professionalism that sets it apart.
A Sarcoma attack is a one-two punch. First, an alert confirms your systems are encrypted and operations are at a standstill. But the true crisis is revealed next. The attacker also has terabytes of your sensitive data, including financial records, customer lists, and intellectual property. A countdown clock for its public release has just begun.
This ruthless model is called double extortion. The reality of this threat was clear when the Swiss nonprofit health organization Radix was hit. Attackers exfiltrated two terabytes of data before encrypting the network. Sarcoma doesn’t just lock your data: they own it. This fundamentally changes the nature of the crisis.
Understanding this threat is the first step toward building a resilient defense against it. This briefing will break down Sarcoma’s methods and provide the key questions you need to ask to ensure your organization is prepared.
Why Sarcoma Ransomware Matters to You
Sarcoma is not random malware. It is a criminal enterprise with a calculated business plan. The group’s approach is methodical, aimed at maximizing profit by targeting specific business vulnerabilities.
Precision Targeting
This group has identified a clear sweet spot. Their primary targets are organizations in the $1M to $10M revenue bracket, but they hit larger enterprises up to $250M. These are companies that are large enough to pay a significant ransom but often lack the dedicated security resources of a global giant. They focus on data-rich sectors like healthcare, manufacturing, and finance.
Calculated Professionalism
This is not the work of amateurs. Security researchers suspect links to established Eastern European cybercrime syndicates like RomCom (Storm-0978).
This professionalism is visible in their code. For instance, the malware includes a unique ‘kill switch’: it checks for the presence of an Uzbek keyboard layout on a victim’s machine. If detected, it immediately deletes itself. This is a deliberate tactic to avoid prosecution and scrutiny in their likely home region, demonstrating a level of operational security rarely seen.
Double Extortion: The True Cost
The ransom demand is often the smallest part of the total cost. By employing double extortion, Sarcoma creates a no-win situation. Backups can restore encrypted systems, but they cannot stop a public data leak.
Think of it like a thief who doesn’t just lock you out of your building but also leaves with the blueprints and threatens to publish them. The resulting damage from regulatory fines (like GDPR and CCPA), loss of customer trust, and compromised competitive advantage can be catastrophic.
To build an effective defense, you must first understand the attacker’s playbook.
Sarcoma Ransomware’s Attack Path: A Tactical Breakdown
To build an effective defense, leaders must understand the attacker’s playbook. Sarcoma’s attack is a methodical, multi-stage process that leverages common techniques to achieve its devastating goals.
This breakdown maps the group’s methods to the MITRE ATT&CK® framework, a globally-accessible knowledge base of adversary tactics and techniques.
Initial Access
Like many threat actors, Sarcoma gains its initial foothold through the most reliable entry points. The group heavily relies on phishing campaigns (T1566) with malicious links or attachments.
They also actively exploit unpatched public-facing applications (T1190) and take advantage of poorly configured Remote Desktop Protocol (RDP) (T1078), which, if not secured, can be an open door into a network.
In several sophisticated cases, they have been known to conduct supply chain attacks (T1195), compromising a trusted vendor to gain access to their ultimate target.
Internal Operations: Living Off the Land
Once inside, Sarcoma’s primary goal is to remain undetected, while escalating privileges and moving laterally across the network. To do this, they employ a Living-off-the-Land strategy, using a system’s own legitimate tools against it.
Instead of deploying custom malware that might trigger alerts, they use built-in utilities like PowerShell (T1059.001) to run obfuscated scripts that disable security features and terminate database processes. They use legitimate Remote Monitoring and Management (RMM) tools (T1047) for network discovery and steal credentials (T1003) to gain deeper access.
Impact: The Double Extortion Payoff
After mapping the network and securing high-level access, the group executes its final, devastating one-two punch.
First, they perform data exfiltration (T1041), quietly stealing gigabytes or even terabytes of sensitive information. Only after the data is secured on their servers do they trigger the encryption routine (T1486), using the powerful CryptoPP library to lock critical files.
Finally, the compromised data is listed on their dark web leak site (T1561.002), adding public pressure to pay the ransom on top of the technical crisis and completing the double extortion.
Sarcoma Ransomware: Key Tactics, Techniques, and Procedures (TTPs)
Tactic (MITRE ATT&CK Phase) | Technique ID | Technique Name / Description |
Initial Access | T1566 | Phishing |
T1190 | Exploit Public-Facing Application | |
T1078 | Valid Accounts (RDP Exploitation) | |
T1195 | Supply Chain Compromise | |
Execution | T1059.001 | PowerShell |
Persistence | T1547 | Boot or Logon Autostart Execution |
Privilege Escalation | T1003 | OS Credential Dumping |
Defense Evasion | T1036 | Masquerading (Uzbek keyboard check) |
T1562 | Impair Defenses | |
Discovery | T1047 / T1018 | Windows Management Instrumentation / Remote System Discovery |
Lateral Movement | T1021 | Remote Services |
Impact | T1041 | Exfiltration Over C2 Channel |
T1486 | Data Encrypted for Impact | |
T1561.002 | Data Leak Site Publication |
On top of this, Sarcoma uses anonymization tools, such as TOR, throughout their attacks. This makes it more difficult for signature-based defenses to spot a malicious contact.
With a clear understanding of Sarcoma’s tactics, leaders can shift from analysis to action. This begins by asking the right strategic questions to identify potential gaps in your organization’s defenses.
Three Questions to Guide Your Defense Strategy
This intelligence on Sarcoma’s attack path leads us to some very specific questions. These will reveal your organization’s resilience against a threat like Sarcoma Ransomware.
Are we monitoring for threats within our network, not just perimeter breaches?
Sarcoma’s use of Living off the Land techniques means they operate inside your network using your own legitimate tools (like PowerShell and RMM software). Traditional firewalls and antivirus are designed to stop threats at the door and may miss this internal activity. Do you have visibility into your east-west network traffic to spot a trusted tool being used for malicious purposes?
Is our incident response plan ready for a data leak, not just data loss?
Backups are critical for recovering from an encryption event (data loss), but they cannot stop a public data leak. The threat of public exposure involves a completely different set of risks, including regulatory fines, lost customer trust, and brand damage. Does your incident response plan have a dedicated playbook for a public data extortion crisis, including legal, communications, and compliance strategies?
Is our security posture reactive or proactive?
Waiting for public reports on a new threat means you are already playing defense. A proactive posture requires real-time intelligence on attacker infrastructure, allowing your team to block threats before they can execute. You should also stay up to date on intelligence about your own external attack surface. Are you equipped to get ahead of the threat, or are you waiting for the next industry-wide alert?
This brings us to the final, critical question: how to protect against double extortion attacks?
Building a Resilient Defense
Sarcoma represents a strategic shift in the cybercrime landscape, proving that resilience in 2025 cannot be purely reactive. It exploits not just technical vulnerabilities but business vulnerabilities — an organization’s reliance on data and its fear of public exposure.
A modern defense, therefore, requires a strategic move toward proactive security, grounded in broad visibility and real-time intelligence. Building this proactive defense means answering the key questions posed by threats like Sarcoma:
- Understand your vulnerabilities. You must first see your organization as an attacker does. Lumu Discover continuously evaluates your external attack surface, identifying potential entry points before they can be exploited.
- Detect internal threats. You need good network visibility. Lumu Defender NDR provides this, spotting the subtle Living-off-the-Land techniques and lateral movements that other tools miss.
- Block anonymous traffic. Defender’s ability to spot and block use of TOR or other anonymizers on the network is critical. These are potentially the first telltale signs of a Sarcoma attack.
- Stay ahead of the adversary. Your defense must be powered by real-time data. Lumu Maltiverse delivers the actionable threat intelligence needed to identify and block attacker infrastructure proactively.
These capabilities are integrated components of a modern security operations strategy. Discover how the Lumu SecOps Platform unifies these tools to help you stop reacting and start defending your organization.
