Arcus Media Ransomware Delete Backup, Clear Logs, Disable Remote After Lock The Files

The Arcus Media ransomware has emerged as a significant cybersecurity threat, employing advanced techniques to maximize disruption and hinder recovery efforts.

Operating under a Ransomware-as-a-Service (RaaS) model, the group has targeted industries worldwide, including business services, retail, and media, since its debut in May 2024.

Arcus Media ransomware demonstrates a highly technical approach to ensure operational impact and complicate defensive measures:-

Privilege Escalation: If administrative access is unavailable, it uses the ShellExecuteExW API to re-execute itself with elevated privileges via the “runas” verb.
Process Termination: It halts critical processes such as SQL servers and email clients using the CreateToolhelp32Snapshot API. Targeted processes include:

sqlservr.exe
msaccess.exe
mysqld.exe

Selective Encryption: Files are encrypted using the ChaCha20 cipher, with RSA-2048 protecting encryption keys. Larger files (>2 MiB) undergo partial encryption for efficiency, and encrypted files are appended with [Encrypted].Arcus.

File extension after encryption:
[Encrypted].Arcus

Backup Disruption: To prevent recovery, it executes commands like:

   vssadmin delete shadows /all /quiet
   wevtutil cl Security
   bcdedit /set {default} recoveryenabled no

Persistence Mechanisms: The ransomware copies itself to C:\ProgramData\svccost.exe and attempts to establish registry-based persistence.

Halcyon analysts detected that the Arcus Media targets recovery mechanisms by deleting shadow backups and clearing event logs, ensuring victims face significant challenges in restoring their systems.

Its encryption process renders files inaccessible without the decryption key stored on attacker-controlled servers.

Double Extortion Tactics

Beyond encryption, Arcus Media exfiltrates sensitive data, threatening public leaks if ransom demands are unmet. This tactic amplifies pressure on victims by leveraging potential reputational damage.

The ransomware disables system defenses like Windows Firewall and event logging through commands:-

netsh advfirewall set currentprofile state off
wevtutil cl Security

Organizations can mitigate risks by maintaining offline backups to prevent ransomware access, implementing robust endpoint detection and response (EDR) solutions, and educating employees on phishing risks, as initial access often starts with malicious emails.

Indicators of Compromise

Encrypted files with [Encrypted].Arcus extensions.
Presence of ransom notes named Arcus-ReadMe.txt.
Processes terminated abruptly or system slowdowns.

Collect Threat Intelligence with TI Lookup to Improve Your Company’s Security - Get 50 Free Request

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.