Arcus Media Ransomware Displays Novel Process Targeting, Selective Encryption and Recovery Disruption

Arcus Media is a Ransomware-as-a-Service group active since May 2024 that conducts double-extortion attacks: it achieves initial access via phishing, performs credential theft and lateral movement (e.g., Mimikatz, Cobalt Strike, RDP), escalates privileges, terminates business-critical processes (SQL, email, office apps), deletes shadow copies and disables recovery, and encrypts files using ChaCha20 with RSA-2048-wrapped keys (partial encryption for >2 MiB) while dropping Arcus-ReadMe.txt ransom notes; the report provides detailed TTPs, file/registry IOCs, and recovery-disruption commands.