Arcus Media Ransomware Attack on FILSCAP: Impact and Implications

Incident Date:

May 24, 2024

World map

Overview

Title

Arcus Media Ransomware Attack on FILSCAP: Impact and Implications

Victim

FILSCAP

Attacker

Arcus Media

Location

Quezon City, Philippines

, Philippines

First Reported

May 24, 2024

Arcus Media Ransomware Attack on FILSCAP

Victim Profile: FILSCAP

FILSCAP, the Filipino Society of Composers, Authors, and Publishers, Inc., is a non-stock, non-profit corporation representing music creators in the Philippines. The organization is tasked with enforcing and protecting the performing rights of copyright owners of musical works. FILSCAP issues licenses and collects royalties for the public performance of copyrighted musical works, advocating for the protection of intellectual property rights in the music industry.

As the government-accredited Collective Management Organization (CMO) for music creators in the Philippines, FILSCAP assists music users in obtaining authorization to publicly play, broadcast, and stream copyrighted local and foreign songs. The organization plays a critical role in ensuring that composers, lyricists, and music publishers are compensated for the public use of their works.

Attack Overview

The ransomware group Arcus Media has claimed responsibility for a recent cyberattack on FILSCAP. This attack is part of a broader campaign by Arcus Media, a new ransomware group that emerged in May 2024. Arcus Media employs sophisticated tactics including phishing emails, custom ransomware binaries, and obfuscation techniques to gain access to and compromise victim networks.

The attack on FILSCAP was one of 11 attacks carried out by Arcus Media in a short span, indicating a highly aggressive campaign. The group has targeted various sectors, including government, banking, construction, IT, and now the music and entertainment industry.

Arcus Media: Ransomware Group Profile

Arcus Media is a relatively new but rapidly expanding ransomware group known for its direct and double extortion methods. The group operates a Ransomware-as-a-Service (RaaS) model, allowing other threat actors to use their malware in exchange for a share of the profits. Their affiliate program is unique, requiring new affiliates to be referred and vetted by existing trusted members.

Arcus Media's tactics include phishing emails with malicious attachments, deployment of custom ransomware binaries, creation of scheduled tasks for persistence, and the use of tools like Mimikatz for credential dumping. The group also employs obfuscation and encryption to evade detection and disable security tools.

Impact and Implications

The ransomware attack on FILSCAP poses significant risks to the organization and its members. As a non-profit entity representing music creators, any disruption in their operations can have a cascading effect on the income and rights protection of composers, authors, and publishers in the Philippines. The attack could potentially lead to the exposure of sensitive data and intellectual property, further complicating the organization's mission.

The broader implications of such attacks underscore the vulnerabilities of organizations in the media and internet sector, especially those involved in intellectual property rights management. These entities must enhance their cybersecurity measures to protect against increasingly sophisticated ransomware threats.

Penetration Tactics

The penetration of FILSCAP's systems by Arcus Media likely involved a multi-faceted approach combining social engineering and technical exploits. Initial access was probably gained through phishing emails containing malicious attachments or links, followed by the deployment of ransomware binaries. Persistence was maintained through scheduled tasks and registry modifications, while defense evasion techniques ensured that the malware could operate undetected for as long as possible.

Such tactics highlight the importance of comprehensive cybersecurity strategies, including employee training on phishing awareness, endpoint protection, and continuous monitoring for suspicious activities.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.