![New M4 MacBook Air On Sale for $949 [Deal]](https://www.iclarified.com/images/news/96721/96721/96721-640.jpg)
![iFixit Tears Down New M4 MacBook Air [Video]](https://www.iclarified.com/images/news/96717/96717/96717-640.jpg)
![9to5Rewards: Last chance to win a MacBook Pro from Chargeasap [Giveaway]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2024/10/M4-MacBook-Pro-doesnt-tempt-me-because-Apple-Silicon-Macs-are-almost-too-good.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![[The AI Show Episode 139]: The Government Knows AGI Is Coming, Superintelligence Strategy, OpenAI’s $20,000 Per Month Agents & Top 100 Gen AI Apps](https://www.marketingaiinstitute.com/hubfs/ep%20139%20cover-2.png)
![[The AI Show Episode 138]: Introducing GPT-4.5, Claude 3.7 Sonnet, Alexa+, Deep Research Now in ChatGPT Plus & How AI Is Disrupting Writing](https://www.marketingaiinstitute.com/hubfs/ep%20138%20cover.png)
![How to become a self-taught developer while supporting a family [Podcast #164]](https://cdn.hashnode.com/res/hashnode/image/upload/v1741989957776/7e938ad4-f691-4c9e-8c6b-dc26da7767e1.png?#)
![[FREE EBOOKS] ChatGPT Prompts Book – Precision Prompts, Priming, Training & AI Writing Techniques for Mortals & Five More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
.jpg?#)
.jpg?width=1920&height=1920&fit=bounds&quality=80&format=jpg&auto=webp#)
Arcus Media Ransomware Delete Backup, Clear Logs, Disable Remote After Lock The Files
The Arcus Media ransomware has emerged as a significant cybersecurity threat, employing advanced techniques to maximize disruption and hinder recovery efforts. Operating under a Ransomware-as-a-Service (RaaS) model, the group has targeted industries worldwide, including business services, retail, and media, since its debut in May 2024. Arcus Media ransomware demonstrates a highly technical approach to ensure […] The post Arcus Media Ransomware Delete Backup, Clear Logs, Disable Remote After Lock The Files appeared first on Cyber Security News.
The Arcus Media ransomware has emerged as a significant cybersecurity threat, employing advanced techniques to maximize disruption and hinder recovery efforts.
Operating under a Ransomware-as-a-Service (RaaS) model, the group has targeted industries worldwide, including business services, retail, and media, since its debut in May 2024.
Arcus Media ransomware demonstrates a highly technical approach to ensure operational impact and complicate defensive measures:-
- Privilege Escalation: If administrative access is unavailable, it uses the
ShellExecuteExWAPI to re-execute itself with elevated privileges via the “runas” verb. - Process Termination: It halts critical processes such as SQL servers and email clients using the
CreateToolhelp32SnapshotAPI. Targeted processes include:
sqlservr.exemsaccess.exemysqld.exe
- Selective Encryption: Files are encrypted using the ChaCha20 cipher, with RSA-2048 protecting encryption keys. Larger files (>2 MiB) undergo partial encryption for efficiency, and encrypted files are appended with
[Encrypted].Arcus.
File extension after encryption:
[Encrypted].Arcus- Backup Disruption: To prevent recovery, it executes commands like:
vssadmin delete shadows /all /quiet
wevtutil cl Security
bcdedit /set {default} recoveryenabled no- Persistence Mechanisms: The ransomware copies itself to
C:\ProgramData\svccost.exeand attempts to establish registry-based persistence.
Halcyon analysts detected that the Arcus Media targets recovery mechanisms by deleting shadow backups and clearing event logs, ensuring victims face significant challenges in restoring their systems.
Its encryption process renders files inaccessible without the decryption key stored on attacker-controlled servers.
Double Extortion Tactics
Beyond encryption, Arcus Media exfiltrates sensitive data, threatening public leaks if ransom demands are unmet. This tactic amplifies pressure on victims by leveraging potential reputational damage.
The ransomware disables system defenses like Windows Firewall and event logging through commands:-
netsh advfirewall set currentprofile state off
wevtutil cl SecurityOrganizations can mitigate risks by maintaining offline backups to prevent ransomware access, implementing robust endpoint detection and response (EDR) solutions, and educating employees on phishing risks, as initial access often starts with malicious emails.
Indicators of Compromise
- Encrypted files with
[Encrypted].Arcusextensions. - Presence of ransom notes named
Arcus-ReadMe.txt. - Processes terminated abruptly or system slowdowns.
Collect Threat Intelligence with TI Lookup to Improve Your Company’s Security - Get 50 Free Request
The post Arcus Media Ransomware Delete Backup, Clear Logs, Disable Remote After Lock The Files appeared first on Cyber Security News.
