Sarcoma Ransomware, first identified in October 2024, is a sophisticated double extortion ransomware campaign targeting high-value organizations across multiple industries. It leverages advanced tactics such as zero-day exploits for initial access and Remote Monitoring and Management (RMM) tools to conduct extensive network reconnaissance and credential theft. The ransomware is designed to infect both Windows and Linux platforms, significantly broadening its attack surface and increasing its potential impact on diverse IT environments. Sarcoma employs a hybrid encryption scheme combining RSA asymmetric encryption with ChaCha20 symmetric encryption, which enhances encryption speed and complexity, making decryption without the attacker’s key extremely difficult. The malware includes network propagation capabilities that enable lateral movement within compromised networks, increasing the scale of infection. It also incorporates anti-recovery mechanisms specifically targeting hypervisor-based systems, preventing restoration from snapshots or backups, which undermines disaster recovery efforts commonly used in virtualized data centers. An operational detail of note is its deliberate avoidance of systems configured with Uzbek keyboard layouts, possibly indicating the threat actor’s origin or geopolitical affiliations. The group uses a double extortion model, not only encrypting data but also exfiltrating sensitive information to pressure victims into paying ransoms under threat of public data leaks. Indicators of compromise include multiple file hashes linked to Sarcoma payloads. Although no public exploits are currently documented, the use of zero-day vulnerabilities and RMM tools indicates a high level of operational sophistication. The campaign has notably impacted organizations in the USA, Italy, and Canada, with Italy’s involvement highlighting a significant European footprint. This ransomware’s multi-platform capabilities, network propagation, and anti-recovery features make it a complex and dangerous threat requiring advanced detection and response strategies.

For European organizations, Sarcoma ransomware poses a substantial risk due to its ability to infect both Windows and Linux systems, which are commonly used in mixed IT environments across Europe, including critical infrastructure and enterprise sectors. Its network propagation capabilities threaten to cause widespread disruption beyond initial infection points, potentially affecting entire corporate networks or industrial control systems. The anti-recovery features targeting hypervisor snapshots could severely undermine disaster recovery plans, especially in virtualized environments prevalent in European data centers. The double extortion tactic increases reputational and regulatory risks, as stolen data exposure can lead to GDPR violations and significant financial penalties. Given Italy’s prior impact and the presence of high-value targets in sectors such as manufacturing, finance, and healthcare across Europe, the ransomware could disrupt critical services and supply chains. Although currently rated as medium severity, the ransomware’s sophisticated tactics and multi-vector approach could result in prolonged operational downtime, substantial financial losses, and erosion of customer trust if not properly mitigated.

European organizations should implement targeted, advanced defenses beyond standard ransomware protections. Network segmentation is critical to limit lateral movement, with particular emphasis on isolating hypervisor hosts and backup servers to protect recovery capabilities. Deploy Endpoint Detection and Response (EDR) solutions equipped with behavioral analytics to detect unusual RMM tool usage and zero-day exploit attempts early. Enforce strict credential hygiene by implementing multi-factor authentication (MFA) on all remote management interfaces and privileged accounts to reduce credential theft risks. Regularly audit and restrict RMM tool access, and monitor for anomalous command and control traffic to detect early compromise stages. Backup strategies must include immutable backups stored offline or in air-gapped environments to counteract anti-recovery tactics. Given the ransomware’s avoidance of Uzbek keyboard layouts, organizations should engage in threat intelligence sharing to identify potential regional targeting patterns. Incident response plans should incorporate scenarios involving hybrid Windows/Linux infections and double extortion demands, ensuring legal and communication teams are prepared for GDPR data breach notifications. Proactive threat hunting focusing on known Sarcoma hashes and network behaviors can reduce dwell time and limit damage.