Ransomware Attack on Grupo SASMET by Arcus Media

Victim Overview

Grupo SASMET, a Brazilian company operating in the manufacturing sector, was recently targeted by the Arcus Media ransomware group in May 2024. The company specializes in the production and distribution of metal products, such as steel pipes, fittings, and valves. Grupo SASMET also offers services related to metalworking and industrial maintenance. The company employs between 51-200 people and is registered under the name Saúde Ocupacional.

Arcus Media Ransomware Group

The Arcus Media ransomware group is a relatively new threat actor that has been active since May 2024. The group distinguishes itself by conducting direct and double extortion methods, using phishing emails for initial access, deploying custom ransomware binaries, and employing obfuscation techniques to evade detection.

Attack Details

Grupo SASMET was one of the 11 victims targeted by Arcus Media in a series of attacks. The ransomware group utilizes tactics such as phishing emails with malicious attachments, obfuscated scripts for payload execution, and privilege escalation using tools like Mimikatz. Grupo SASMET's vulnerabilities may have included weak email security measures, lack of robust endpoint protection, and insufficient network segmentation.

How the Attack Occurred

Arcus Media likely gained access to Grupo SASMET's systems through a phishing email that contained a malicious attachment or link. Once inside the network, the group deployed their custom ransomware and used obfuscation techniques to evade detection. The attackers may have exploited vulnerabilities in the company's security infrastructure to establish persistence and escalate privileges.

Sources

• SAS Events Nordic
• ZoomInfo - Grupo SASMET
• LinkedIn - SASMET
• Twitter - Daily Dark Web
• The Moloch - Arcus Media
• WatchGuard Technologies - Arcus Media
• DarkFeed - Ransomware Groups
• Twitter - H4ckManac
• Twitter - H4ckManac