Ransomware Attack on Grupo SASMET by Arcus Media

Incident Date:

May 24, 2024

World map

Overview

Title

Ransomware Attack on Grupo SASMET by Arcus Media

Victim

Grupo SASMET

Attacker

Arcus Media

Location

Manaus, Brazil

, Brazil

First Reported

May 24, 2024

Ransomware Attack on Grupo SASMET by Arcus Media

Victim Overview

Grupo SASMET, a Brazilian company operating in the manufacturing sector, was recently targeted by the Arcus Media ransomware group in May 2024. The company specializes in the production and distribution of metal products, such as steel pipes, fittings, and valves. Grupo SASMET also offers services related to metalworking and industrial maintenance. The company employs between 51-200 people and is registered under the name Saúde Ocupacional.

Arcus Media Ransomware Group

The Arcus Media ransomware group is a relatively new threat actor that has been active since May 2024. The group distinguishes itself by conducting direct and double extortion methods, using phishing emails for initial access, deploying custom ransomware binaries, and employing obfuscation techniques to evade detection.

Attack Details

Grupo SASMET was one of the 11 victims targeted by Arcus Media in a series of attacks. The ransomware group utilizes tactics such as phishing emails with malicious attachments, obfuscated scripts for payload execution, and privilege escalation using tools like Mimikatz. Grupo SASMET's vulnerabilities may have included weak email security measures, lack of robust endpoint protection, and insufficient network segmentation.

How the Attack Occurred

Arcus Media likely gained access to Grupo SASMET's systems through a phishing email that contained a malicious attachment or link. Once inside the network, the group deployed their custom ransomware and used obfuscation techniques to evade detection. The attackers may have exploited vulnerabilities in the company's security infrastructure to establish persistence and escalate privileges.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.