Sarcoma is a ransomware and extortion threat actor first publicly observed in October 2024. It is commonly referred to as Sarcoma, Sarcoma Group, or Sarcoma ransomware. Reporting consistently characterizes it as a ransomware-as-a-service or affiliate-driven operation that uses double extortion, combining data theft with threats to publish stolen information and, in at least some intrusions, file encryption. Some reporting also notes extortion-only behavior in which data theft and leak threats are emphasized without encryption. Sarcoma rapidly established itself as an active global threat, with victims reported across multiple regions and sectors. Observed targeting includes government-linked entities, healthcare and health nonprofits, manufacturing, electronics and printed circuit board production, and broader supply-chain-connected organizations. Publicly discussed incidents include attacks affecting Swiss government-related service providers and Taiwanese electronics manufacturing, indicating an interest in organizations whose disruption or data exposure can create downstream impact on public-sector or industrial ecosystems. The group is associated with opportunistic but increasingly sophisticated intrusion activity. Reported initial access methods include phishing, exploitation of older vulnerabilities, and supply-chain compromise paths. Post-compromise behavior includes use of remote administration and remote monitoring and management tools for reconnaissance, persistence, and lateral movement, as well as abuse of RDP in victim environments. Sarcoma has been described as conducting data exfiltration before extortion and, where deployed, encryption in later stages of the attack lifecycle. Sarcoma is notable for its focus on double extortion and supply-chain attacks. In industrial and manufacturing contexts, it has been linked to incidents with potential operational and downstream business impact. It has also been cited among newer extortion actors that reflect a broader ecosystem trend toward data-theft-led coercion, including leak-site pressure tactics and reduced reliance on encryption as the sole leverage mechanism. Attribution to a specific state is not established. Sarcoma is generally treated as a financially motivated cybercriminal actor rather than a confirmed nation-state operation. Some commentary has speculated about Eastern European criminal links, but such attribution is not corroborated at high confidence. No confirmed sub-groups are established in the available reporting beyond the common aliases Sarcoma Group and Sarcoma ransomware.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 malware family attributed to this actor across reporting.
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Sarcoma is a financially motivated ransomware group known for double-extortion attacks, combining data theft with system encryption. They target mid-market and larger organizations, especially in manufacturing, technology, and construction, primarily in Western countries. Sarcoma operates a Ransomware-as-a-Service (RaaS) model with a small set of trusted partners, uses advanced evasion and anti-forensics techniques, and frequently updates its malware to target Windows, Linux, and ESXi environments. They leverage phishing, credential theft, exploitation of unpatched services, and third-party access for initial entry, followed by lateral movement, data exfiltration, and rapid encryption. Their extortion model relies on public data leaks and negotiation portals.
Named ransomware group referenced in victim-claim rankings based on data-leak site postings.
Named ransomware group referenced in victim-claim rankings based on data-leak site postings.
Ransomware group targeting government and manufacturing victims, with Windows and Linux variants supporting network spread and ESXi snapshot deletion.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.