Arcus Media is a ransomware-as-a-service operation that emerged in 2024 and has been described as a technically advanced and active extortion actor. The group is associated with double-extortion ransomware activity, combining data theft with encryption and public leak-site pressure. Arcus Media has been observed targeting organizations across multiple countries and sectors, including technology, transportation and logistics, consumer services, public-sector entities, and organizations linked to industrial and critical infrastructure. Reporting indicates that Arcus Media has shown interest in industrial and critical infrastructure targets, placing it within the broader trend of ransomware actors pursuing operationally sensitive victims. The group has been associated with credential harvesting, including theft of browser-stored credentials, and appears to participate in the broader ransomware ecosystem’s use of common affiliate-driven tradecraft such as opportunistic targeting, data exfiltration, and timed extortion deadlines. Known aliases include arcusmedia and arcus_media. Based on available information, Arcus Media is best characterized as a financially motivated ransomware group rather than a clearly attributed nation-state actor. Publicly available information in this dataset does not establish a confirmed government affiliation, geographic origin, or identified sub-groups with high confidence.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting a ransomware attack resulting in a data breach against Perpustam in Malaysia.
Conducting a ransomware attack resulting in a data breach against gemese.pt.
Conducting a ransomware attack resulting in a data breach against Distribox.
Conducting a ransomware attack resulting in a data breach against Be Travel in South Africa's hospitality and tourism sector.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.