LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile Sarcoma

Sarcoma: The Ransomware Group That Became a Major Threat in Under a Year

Sarcoma emerged in October 2024 and claimed 31 victims in its first month, reaching third in global ransomware rankings. By mid-2025 it had 116+ documented victims, ransom demands exceeding $1 million, and an expanding footprint in manufacturing and OT environments.

By Ransomware Tracker ·
Sarcomaransomwaredouble-extortionRaaSmanufacturingdata-extortion202420252026
Threat Level
8/10
Sectors Targeted
manufacturing
technology
construction
retail
agriculture
Ransomware Family
Sarcoma

Overview

Sarcoma emerged in October 2024 and scaled faster than almost any ransomware group in recent memory. Within its first month it claimed 31 victims and ranked third globally in victim volume, behind only RansomHub and Play. By mid-2025 it had posted more than 116 victims on its dark web leak site, with ransom demands that had escalated from mid-five-figure sums to over $1 million for larger targets.

The group operates as a limited affiliate ransomware-as-a-service (RaaS). Unlike open affiliate programmes such as RansomHub, which accept a broad pool of partners, Sarcoma maintains a selective affiliate roster. This approach trades volume for operational control and reduces the probability of sloppy intrusions that attract unwanted law enforcement attention.

As of mid-2026, no law enforcement action has been taken against the group or its affiliates.

Organisational Structure

Sarcoma’s business model is a 70/30 revenue split that favours affiliates — 70% of any ransom payment goes to the affiliate who conducted the intrusion, 30% to the Sarcoma core operators. This split is competitive but not exceptional; the differential from higher-paying programmes like RansomHub is offset by the selectivity of the affiliate pool, which means Sarcoma affiliates face less competition for targets within the programme.

The core team provides: the encryptor toolset, the dark web victim communication platform, the data leak site, and the negotiation infrastructure. Affiliates supply initial access, lateral movement, data exfiltration, and deployment.

Sarcoma’s affiliate vetting appears to be genuine rather than performative. The group has not experienced the public operational security failures — accidental exposure of affiliate panels, chat log leaks, sloppy deployment that left forensic evidence — that have damaged some peer groups.

Malware and Encryption

Sarcoma’s primary encryptor is written in C++ and targets Windows environments. A separate variant supports Linux and VMware ESXi hosts, enabling encryption of virtualised infrastructure alongside Windows endpoints — the standard capability profile for any serious ransomware programme operating against enterprise targets.

The group’s initial access tradecraft leans heavily on living-off-the-land techniques. PowerShell is used to disable security tooling and antivirus products before deployment. Legitimate remote monitoring and management (RMM) tools are abused for reconnaissance and lateral movement, making detection harder in environments that permit commercial RMM tools.

The double extortion model is standard: data is exfiltrated before encryption, and the leak site countdown timer creates a deadline pressure that exists independently of whether the victim can recover from backups.

Targeting Profile

Sectors

Manufacturing has been Sarcoma’s dominant target sector throughout its operational period. Technology companies, construction firms, retail, and agricultural businesses make up the rest of the established profile. The pattern suggests a deliberate focus on mid-market organisations — large enough to have data worth stealing and the financial capacity to pay meaningful ransoms, but without the mature security programmes of enterprise-scale targets.

Dragos data from Q2 2025 noted Sarcoma’s expanding presence in industrial and OT-adjacent environments. Roughly 3% of the group’s victims in that period were in industrial sectors, suggesting affiliates are beginning to test the group’s capabilities against operational technology networks. This trajectory mirrors the path taken by other groups — initial IT-only operations followed by gradual OT targeting as affiliates gain confidence and familiarity with industrial environments.

Geography

Approximately 50% of Sarcoma victims are based in the United States, reflecting the general concentration of ransomware targeting toward the highest-value English-language markets. Germany has been the most prominent non-US target, accounting for a significant portion of European victims. Australia, Canada, the United Kingdom, Italy, Japan, and Spain round out the documented geographic footprint.

Organisation Size

The targeting band — organisations with annual revenues between $1 million and $50 million — is deliberately chosen. This cohort is large enough to have enterprise systems worth encrypting and data worth stealing, but typically lacks dedicated security operations, mature backup architectures, and cyber insurance with incident response provisions that make recovery straightforward.

Historical Victims and Impact

Sarcoma has not targeted household-name organisations at the scale of groups like Cl0p or RansomHub, which have hit major US healthcare and financial institutions. Its victim list is concentrated in the mid-market. This profile is likely intentional: high-profile victims attract government attention and law enforcement priority; mid-market victims pay more quietly and generate less scrutiny.

The group’s leak site structure is professionally designed — countdown timers, downloadable sample data, and a categorised victim list — and has functioned reliably throughout its operational period, suggesting stable hosting infrastructure and competent operations management.

Ransom demand escalation from mid-2025 onward is notable. Demands exceeding $1 million indicate that the group is increasingly targeting larger organisations within the $10–50M revenue band, or that its affiliate network is gaining access to higher-value environments through improved initial access methods.

Threat Assessment

Sarcoma entered 2026 as an established, operationally competent ransomware group without the profile elevation that typically accelerates law enforcement action. Its selective affiliate model reduces some of the chaos associated with open-programme RaaS operations, while the 70/30 split attracts affiliates with the patience to run quality intrusions rather than spray-and-pray campaigns.

The expanding industrial footprint is the most significant trend to watch. If Sarcoma affiliates develop and share OT-specific capability — ESXi targeting already bridges the virtualisation layer common in IT/OT environments — the group’s impact ceiling rises substantially.

For incident responders and threat intelligence teams, Sarcoma represents a technically conventional but operationally well-run double extortion threat. Its victim profile makes mid-market manufacturing, construction, and agricultural businesses the most exposed cohort.

Indicators and Intelligence

Sarcoma activity is tracked across major dark web monitoring platforms. The group’s leak site maintains a structured listing of victims with exfiltration evidence. No confirmed decryptor has been released publicly; backup integrity and network segmentation remain the primary technical defences against the group’s operations.

Initial access patterns documented across Sarcoma incidents include exploitation of internet-facing services (VPN appliances, RDP), phishing for credential theft, and in some cases purchase of access from initial access brokers — the standard procurement channel for RaaS affiliates who want to skip the initial intrusion phase.

References

// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting