Ransomware Attack on Norwegian Accounting Firm Total Revisjon DA by Arcus Media

Incident Date:

June 27, 2024

World map



Ransomware Attack on Norwegian Accounting Firm Total Revisjon DA by Arcus Media


Total Revisjon DA


Arcus Media


Dilling, Norway

, Norway

First Reported

June 27, 2024

Ransomware Attack on Total Revisjon DA by Arcus Media

Overview of Total Revisjon DA

Total Revisjon DA is a Norwegian company specializing in auditing and accounting services. Established in 1994 and based in Lyngdal, Norway, the firm has grown to become a well-respected player in the Norwegian accounting industry. The company offers a range of services including statutory audits, financial advisory, and tax compliance. Their primary focus is on delivering comprehensive financial oversight and advisory services to businesses, ensuring that their financial statements are accurate, compliant with relevant regulations, and reflective of their true financial position.

With a team of experienced professionals, Total Revisjon DA prides itself on providing high-quality, personalized services to its clients. The firm emphasizes building long-term relationships and understanding each client's unique needs and challenges. This client-centric approach has helped them maintain transparency and build trust with stakeholders, including investors, creditors, and regulatory bodies.

Details of the Ransomware Attack

Total Revisjon DA has recently fallen victim to a ransomware attack orchestrated by the Arcus Media ransomware group. The attack was publicly claimed by Arcus Media via their dark web leak site. The group has threatened to publish the stolen data within 7-8 days if their demands are not met. This incident has raised significant concerns about the security measures in place at Total Revisjon DA and the potential impact on their clients.

The attack on Total Revisjon DA highlights the vulnerabilities that even well-established companies can face. Despite their expertise in financial oversight and compliance, the firm was unable to prevent the breach, which suggests potential weaknesses in their cybersecurity infrastructure. The exact method of penetration is not yet confirmed, but it is likely that the attackers used phishing emails to gain initial access, followed by deploying custom ransomware binaries and scripts to execute the payload.

Profile of Arcus Media Ransomware Group

Arcus Media is a relatively new ransomware group that has been active since May 2024. The group is known for its direct and double extortion methods, using phishing emails to gain initial access, deploying scripts to execute the ransomware payload, and employing various obfuscation techniques to evade detection. Arcus Media operates as a Ransomware-as-a-Service (RaaS) model, allowing other threat actors to use their malware and taking a cut of the profits.

One of the distinguishing features of Arcus Media is their unique affiliate program, where new affiliates must be referred by another trusted affiliate and vetted to participate.

Potential Penetration Methods

Arcus Media typically uses phishing emails with malicious attachments or links to gain initial access to victim networks. Once inside, they deploy custom ransomware binaries and use scripts to execute the payload. These scripts are often obfuscated to evade detection. The group also creates scheduled tasks on infected systems to maintain persistence and makes registry modifications to establish persistence and evade detection. Tools like Mimikatz are used for credential dumping to escalate privileges within the network, and various obfuscation and encryption methods are employed to hide malicious activities and disable or bypass security tools.

Given the nature of Total Revisjon DA's business, which involves handling sensitive financial data, the company is an attractive target for ransomware groups like Arcus Media. The attack underscores the importance of robust cybersecurity measures, including employee training on phishing awareness, regular security audits, and the implementation of advanced threat detection and response systems.


Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.