Breach Monitoring News Feed

Arcus Media first emerged in May 2024 and operates as a Ransomware-as-a-Service (RaaS) with a double-extortion model—encrypting data and threatening to leak it if the ransom isn't paid. The group leverages advanced capabilities including selective encryption (partial encryption of large files with the ChaCha20 cipher and RSA‑2048 key protection), privilege escalation, disabling recovery mechanisms, and terminating critical services like SQL servers and email clients to maximize disruption and thwart defense. Initial access comes through phishing, credential theft, or exploitation of vulnerabilities, with lateral movement facilitated by tools like Mimikatz and Cobalt Strike. Since its debut, Arcus Media has — by mid‑2025 — been linked to 50+ confirmed attacks, spanning industries such as business services, retail, media, healthcare, and manufacturing across the Americas, Europe, and Asia. Victims include high-profile targets like Braz Assessoria Contábil and FILSCAP.

Argonauts Group is a data extortion operation that surfaced around September–October 2024, primarily targeting organizations in Italy, as well as entities in Taiwan, Japan, Canada, and the U.S. It does not appear to use conventional file-encryption ransomware methods—instead, it steals data and operates a dedicated data leak site (DLS) to pressure victims into paying. Victims span sectors like technology, manufacturing, transportation/logistics, and healthcare. The group has claimed to steal substantial volumes of sensitive information—e.g., 200 GB from Ivy Life Sciences (Taiwan) and 140 GB from Japan’s Zacros—and publicly disclosed some samples on its leak site. Although some references imply prior activity back to October 2021, these appear to be less reliable and not substantiated by authoritative intel. As of now, there is no clear evidence of traditional ransomware encryption, ransom notes, or RaaS infrastructure.

Arkana Security emerged in early 2025, debuting with a high-profile data-extortion campaign against the U.S. internet provider WideOpenWest (WOW!). The group does not appear to deploy actual ransomware encryption; rather, it operates a data-broker-led, leak-centric extortion model, with a structured "Ransom → Sale → Leak" progression. Victims so far include WOW! and several other organizations across sectors such as telecommunications, mining, finance, electronics, and music/entertainment, spanning the U.S. and UK. Arkana facilitates its threats through doxxing and "Wall of Shame" tactics, leveraging psychological pressure rather than encrypting systems. Its operations are characterized by post-intrusion lateral movement and deep backend access.

Arvin Club first appeared around early to mid-2021, debuting on its Tor leak site with posts dating back to May 5, 2021. While frequently characterized as ransomware, there is no verified evidence of file encryption or RaaS operations—its behavior aligns more closely with data-leak and hacktivist activity. The group actively publishes stolen data via its Onion site and maintains a prominent presence on Telegram, operating both official channels and group chats (notably with Persian-language content). A known target includes India's Kendriya Vidyalaya school network among others. Arvin Club has shown ideological leanings (notably support for REvil) and claims to have “hacktivist” motivations, including activities against the Iranian regime. No encryption algorithms, file extensions, or ransom notes have been publicly documented.

AstraLocker first appeared in 2021, likely as a fork of Babuk ransomware using leaked source code. It follows a single-extortion, smash-and-grab approach: distributed directly via phishing Microsoft Word documents containing embedded OLE objects. Once executed, it kills security and backup processes, deletes shadow copies, and encrypts files using modified HC-128 and Curve25519 algorithms, appending extensions like .Astra or .babyk. A “smash-and-grab” style attack, it’s less methodical than more sophisticated campaigns—deploying ransomware immediately upon user action rather than conducting prolonged network reconnaissance. In mid-2022, the operator ceased ransomware operations, releasing decryptors and announcing a pivot to cryptojacking.

AtomSilo emerged in September 2021 and ceased operations by year-end 2021. It functioned with a double‑extortion model, combining file encryption with data exfiltration and leak threats. The malware uses a hybrid encryption scheme—AES‑256 for file encryption and RSA‑4096 to secure the AES key—and appends the extension .ATOMSILO to encrypted files. Ransom notes follow formats like README-FILE-{computer name}-{timestamp}.hta or ATOMSILO-README.hta. Structurally and operationally, AtomSilo closely resembles the LockFile ransomware and is attributed to the Chinese state-linked actor BRONZE STARLIGHT (aka Cinnamon Tempest, DEV‑0401, Emperor Dragonfly, SLIME34), likely serving as a smokescreen for espionage-driven data theft. Victims spanned multiple industries and countries, including notable high extortion demands up to $1 million USD. The group also exploited the Atlassian Confluence vulnerability (CVE‑2021‑26084) for initial access and used DLL side‑loading for stealthy deployment.

Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.

First observed in July 2021, AvosLocker operates as a Ransomware-as-a-Service (RaaS) platform employing a double-extortion model—encrypting files and exfiltrating data with threats to leak it publicly. Its affiliates have targeted diverse environments including Windows, Linux, and VMware ESXi, particularly impacting sectors such as education, government, manufacturing, and healthcare across the U.S., Canada, and numerous other countries. Affiliates gain access through phishing emails, exploitation of vulnerabilities (notably Microsoft Exchange ProxyShell/log4j, Zoho ManageEngine), and compromised remote services. Technically, AvosLocker uses AES (with RSA-wrapped keys) for file encryption, often executing in safe mode to bypass security defenses, and directs victims to ransom notes like GET_YOUR_FILES_BACK.txt while changing the desktop wallpaper. Its data leak site operated from mid-2021 until about July–August 2023. No activity has been observed since May 2023.

AvosLocker is a ransomware-as-a-service (RaaS) gang that first appeared in mid-2021. It has since become notorious for its attacks targeting critical infrastructure in the United States, including the sectors of financial services, critical manufacturing, and government facilities. In March 2022, the FBI and US Treasury Department issued a warning about the attacks.

Axxes ransomware emerged as a rebranded version of the previously known Midas ransomware group, with roots also tracing back through Haron and Avaddon lineage. It operates via a single-extortion model, encrypting files and appending the .axxes extension. Victims receive both an “RESTORE_FILES_INFO.hta” and a “.txt” ransom note. The ransomware performs extra actions like determining the device’s geolocation, modifying the Windows Firewall, changing file extensions, and terminating processes using taskkill.exe. Its known targets span the U.S., UAE, France, and China, including at least one high-profile victim—The H Dubai hotel. This group appears financially motivated, leveraging historical branding and code of earlier groups for its operations.