Emerging Ransomware Threat Actors: Arcus Media, APT73, dan0n, Space Bears


June 24, 2024

World map

Ransomware continues to evolve, with new threat actors emerging and targeting a diverse range of industries. In the months of April and May 2024, four notable ransomware groups surfaced, each demonstrating unique tactics, techniques, and procedures (TTPs).  

This discovery report delves into the profiles of Arcus Media, APT73, dan0n, and Space Bears, highlighting their emergence, attack methods, and significant incidents. These groups have targeted notable companies such as Braz Assessoria Contábil, Fortify Enterprise Inc., The Blake Law Firm, and Hytera US Inc.

Arcus Media

Arcus Media emerged in May 2024, quickly establishing itself as a significant threat. The group operates a Ransomware-as-a-Service (RaaS) model, enabling other threat actors to utilize their malware. Their unique approach to malware development, double extortion tactics, and aggressive targeting make them a notable adversary.  

They have executed 17 attacks so far, primarily targeting the business services, retail, and media & internet industries. Arcus Media was one of our featured prolific thread actors during the week of May 20th to May 26th. It is estimated that the group exfiltrated over 500 GB of data from various organizations.

Arcus Media ransomware employs a variety of tactics and techniques to infiltrate and compromise systems. Initial access is often gained through phishing emails containing malicious attachments or links, tricking users into executing the ransomware payload. Once inside, these attackers use malicious scripts for execution, initiating the ransomware's damaging effects.  

To maintain persistence, Arcus Media creates scheduled tasks and modifies the registry to ensure their presence within the system even after reboots. For privilege escalation, tools like Mimikatz are used to dump credentials, granting elevated access to sensitive areas.  

To evade defenses, attackers utilize obfuscation and encryption techniques, often disabling security software to remain undetected and continue their malicious activities without interruption.

Arcus Media Victims:

  • Braz Assessoria Contábil (Business Services), a Brazilian professional services firm specializing in accounting, tax consulting, and financial advisory services, fell victim to an Arcus Media ransomware attack. The attackers infiltrated the firm's systems, exfiltrating sensitive financial and personal data. The attack posed significant risks to the firm’s operational integrity and reputation, emphasizing the vulnerabilities of firms handling extensive client information and financial data.
  • Thibabem Atacadista (Retail), a wholesale children's clothing and accessories company, was attacked by Arcus Media in late May 2024. The group used phishing emails to gain access, deploying custom ransomware and obfuscated scripts. The attack disrupted Thibabem's operations, highlighting the risks faced by businesses in the retail sector.
  • FILSCAP (Media & Internet), the Filipino Society of Composers, Authors, and Publishers, Inc., faced a severe disruption due to an Arcus Media attack. The ransomware group infiltrated FILSCAP's systems, leaking sensitive data about its members. This attack demonstrated Arcus Media's capability to target cultural and creative sectors, potentially harming the Filipino music industry.
  • Other Recent Ransomware Attacks by Arcus Media

Arcus Media is entirely unique, distinguishing them from other ransomware groups that often repurpose existing tools. Their rapid escalation in attack frequency and sophisticated evasion techniques mark them as a growing threat.  

The rapid emergence and aggressive tactics of Arcus Media suggest potential sponsored backing or advanced cybercriminal alliances, possibly indicating a well-funded and highly organized operation.


The newly discovered ransomware group, APT73, was identified in late April 2024, appears to be a spin-off from the infamous LockBit group, exhibiting a calculated approach to ransomware with a focus on the business services sector. Notable victims include Brightway Consultants Ltd and Fortify Enterprise Inc., with the group responsible for 5 attacks targeting business services and software industries.  

APT73 employs double extortion tactics, encrypting files and threatening to leak data to pressure victims into paying ransoms. They use various communication channels, including Telegram, Tox, and Twitter, to communicate with victims and coordinate their operations. Additionally, they maintain a data leak site where they publicize victim data to further coerce ransom payments, leveraging the fear of reputational and operational damage.

APT73 Victims:

  • Brightway Consultants Ltd (Business Services), a chartered quantity surveying firm based in London, was attacked by APT73 in May 2024. The breach resulted in the exfiltration of sensitive data, including financial records and login details, impacting the firm's operations and client trust.
  • Fortify Enterprise Inc. (Software), a software development company, experienced a significant breach by APT73, resulting in the exfiltration of sensitive data such as SSH keys and admin credentials. This attack highlighted the vulnerabilities in Fortify Enterprise's cybersecurity infrastructure.
  • ServicePower Technologies PLC (Software), a field service management software provider, was targeted by APT73 resulting in the exfiltration of sensitive user credentials and operational data. The breach emphasized the need for fortified cybersecurity measures in digital-centric businesses.
  • Other Recent Ransomware Attacks by APT73

The novice APT73's amateurish elements, such as the lack of active mirrors on their data leak site, contrast with their professional execution of attacks, indicating a complex operational structure possibly derived from LockBit.  

The operational similarities to LockBit and the rapid establishment of APT73's infrastructure hint at insider knowledge or direct collaboration with former LockBit members, possibly indicating a splinter cell formation.


Emerging in May 2024, dan0n is a newcomer with a notable operational tempo, distinguishing itself by focusing on data exfiltration rather than encryption. This strategic pivot in ransomware operations has allowed them to target significant firms such as The Blake Law Firm and Allen Blasting and Coating, Inc.  

So far, dan0n has executed 10 attacks, primarily targeting law firms and legal services, as well as the construction and manufacturing industries. Their aggressive tactics and successful breaches have put numerous organizations on high alert, prompting them to bolster their cybersecurity defenses.

Dan0n's tactics and techniques include prioritizing the theft of sensitive data over encryption, reflecting their emphasis on data exfiltration. Initially maintaining a no negotiation policy, they have shown flexibility upon negotiation.  

They also utilize a victim portal, providing detailed ransom demands and a chat interface for victim communication. These methods underscore their sophisticated approach to ransomware, making them a significant threat in the cybersecurity landscape.

dan0n Victims:

  • The Blake Law Firm (Law Firms & Legal Services), specializing in real estate law, fell victim to a dan0n ransomware attack, resulting in the theft of 740GB of sensitive data. This breach exposed financial and legal information, threatening the firm's operations and client confidentiality.
  • Allen Blasting and Coating, Inc.(Construction), a premier industrial painting and coating contractor, was attacked by dan0n, resulting in the theft of 1TB of data. The breach compromised financial records, legal documents, and sensitive employee and client information.
  • Semilab Semiconductor Physics Laboratory Co. Ltd. (Manufacturing), a leading provider of semiconductor metrology solutions, experienced a ransomware attack by dan0n, resulting in the theft of 1.48TB of critical corporate information. This attack highlighted the vulnerabilities in the semiconductor industry.
  • Other Recent Ransomware Attacks by dan0n

dan0n's shift from traditional encryption to data theft highlights an evolving ransomware landscape, where data exfiltration and double extortion become primary tactics. Their rapid operational tempo indicates an efficient and adaptive organizational structure. The strategic focus on exfiltration over encryption by dan0n may signal an adaptation to bypass enhanced encryption defenses deployed by organizations, suggesting a sophisticated understanding of current cybersecurity measures.

Space Bears

Space Bears surfaced in April 2024, quickly gaining notoriety for their corporate-themed data leak site and strategic affiliations. Aligned with the Phobos ransomware-as-a-service group, they stand out due to their distinctive approach, notably using double extortion tactics to maximize pressure on their victims.  

Key targets have included Hytera US Inc. and Mesopolys - Mediação Imobiliária Lda., with the group conducting eight attacks across the telecommunications, real estate, and hospitals & physicians clinics industries.

Their tactics include maintaining data leak sites on both the onion network and clearnet, where they host stolen data to further coerce ransom payments. They leverage double extortion by threatening to release this data unless their demands are met.  

Additionally, Space Bears employs a unique corporate theming in their operations, using corporate stock images and a "wall of shame" to publicly disgrace victims, adding another layer of pressure and reputational risk. Highlighted in our Ransomware on the Move series, they were one of the four most active groups during the third week of April.

Space Bears Victims:

  • Hytera US Inc. (Telecommunications): Hytera US Inc., a leading provider of professional communications technologies, was targeted by Space Bears. The attack potentially disrupted operations, caused data loss, and had significant financial implications for the company.  
  • Mesopolys - Mediação Imobiliária Lda. (Real Estate): Mesopolys, a real estate agency, experienced a ransomware attack by Space Bears, leading to potential data loss and business continuity disruptions. The attack highlighted the vulnerabilities in the real estate sector.
  • CORTEX Chiropractic & Clinical Neuroscience (Hospitals & Physicians Clinics), a healthcare provider specializing in chiropractic care, was attacked by Space Bears. The breach could have led to significant disruptions, data loss, and reputational damage, emphasizing the vulnerabilities in the healthcare sector.
  • Other Recent Ransomware Attacks by SpaceBears

Space Bears' corporate-themed presentation and dual presence on both onion and clearnet sites set them apart, providing a unique blend of professionalism and threat. Their strategic alignment with Phobos underscores their capability and reach. The sophisticated and polished online presence of Space Bears, combined with their ties to the Phobos group, suggests a high level of organization and potentially significant financial backing, possibly indicating a well-coordinated international cybercriminal network.

Takeaway: The emergence of Arcus Media, APT73, dan0n, and Space Bears underscores the evolving nature of ransomware threats. Each group brings unique tactics, innovative techniques, and a strategic focus on high-value targets across various industries.  

Understanding these new actors is crucial for developing robust cybersecurity measures, as ransomware continues to adapt and grow more sophisticated. These insights into their operations and methodologies emphasize the importance of vigilance and advanced defensive strategies in the ever-changing cybersecurity landscape.  

The speculative insights based on observed data suggest that these groups may be more organized and funded than previously anticipated, requiring enhanced international cooperation and intelligence sharing to effectively combat their threats.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.