Sarcoma is an emerging ransomware group/ransomware-as-a-service operation first identified in October 2024. Reporting in the provided content describes it as using a double-extortion model, with data theft followed by threats to leak stolen information and, in some cases, encryption of victim files. Sarcoma has been characterized as specializing in supply-chain attacks and has been observed impacting industrial and manufacturing organizations as well as healthcare-related entities and government-connected third parties.
The group gained attention through attacks including Taiwanese PCB manufacturer Unimicron and the June 2025 intrusion into Zurich-based Swiss health nonprofit Radix. In the Radix incident, Sarcoma affiliates reportedly compromised systems on June 16, 2025, encrypted some files, and later published stolen data on the group’s leak portal after extortion failed. Multiple reports in the content state the leaked Radix data included government-related information because Radix provides services to Swiss federal offices; Swiss authorities said government data may have been affected, though government IT systems were not directly compromised. Sarcoma reportedly claimed to have exfiltrated between 1.3 TB and 2 TB of Radix data, including document scans, financial records, contracts, and communications.
High-confidence reporting in the content states Sarcoma uses phishing, exploitation of older vulnerabilities, and supply-chain compromise for initial access, then leverages RDP for lateral movement. It has also been reported to abuse legitimate remote monitoring and management (RMM) tools for reconnaissance and lateral movement. The group is described as targeting supply chains and causing both data-breach exposure and operational disruption. The content notes Sarcoma had claimed over 100 victims globally, including victims in the United States, Italy, and Canada, and was active enough in 2025 to be listed among notable ransomware groups tracked on leak sites.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"Radix ... said that Sarcoma ransomware affiliates compromised its systems on June 16."
2 distinct techniques documented for this family, organized by ATT&CK tactic.
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Sarcoma is a financially motivated ransomware group that combines data theft with system encryption for double-extortion. It targets organizations by stealing sensitive data before encrypting systems, then threatens public disclosure to pressure victims into paying. Sarcoma operates a Ransomware-as-a-Service (RaaS) model with a limited set of trusted partners, and its malware is capable of impacting Windows, Linux, and ESXi environments. The group is known for methodical, multi-stage intrusions, use of zero-day exploits, and advanced evasion and anti-forensics techniques.
Ransomware operation using double extortion, with noted impact on electronics manufacturing supply chains.
Ransomware group referenced as active by claimed victims (per Rapid7).
Ransomware group referenced as active by claimed victims (per Rapid7).
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.