Skip to content
Ransomware group

Arkana

Arkana is a ransomware group/family identified in 2025 as part of a highly fragmented ransomware ecosystem composed of many short-lived operations.

Profile source: Mallory opens in a new tab

Arkana

Family profile

Arkana is a ransomware group/family identified in 2025 as part of a highly fragmented ransomware ecosystem composed of many short-lived operations. The provided reporting places Arkana among newly emerged ransomware groups and notes it accounted for 1 incident in the cited industrial-sector reporting. Arkana is described alongside groups such as RansomHub, CrazyHunter, and NightSpire as establishing operations using reused codebases and recycled infrastructure, indicating limited technical novelty and likely dependence on shared tooling and access ecosystems rather than unique malware development. More broadly, the source material characterizes these 2025-era groups as commonly operating under a Ransomware-as-a-Service model, frequently relying on identity-based compromise for initial access, including stolen VPN credentials, MFA fatigue, session token hijacking, and OAuth abuse; secondary access via exploited VPN/firewall edge infrastructure; phishing and SaaS abuse such as HTML smuggling and fake login portals; and cloud/SaaS misconfigurations including over-permissioned IAM roles and exposed API tokens. The same reporting states that such groups often used lightweight, minimally obfuscated or open-source malware, and that data theft and extortion frequently replaced or preceded encryption. Targets were primarily small and mid-sized enterprises, organizations with cyber insurance, and cloud-first environments with weak identity governance; industrial entities were also affected in the cited Dragos reporting. No specific Arkana-exclusive indicators of compromise, malware capabilities, victimology, or threat actor attribution beyond these ecosystem-level characteristics are provided in the content.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Session

1 total
  • 05babe48a5070de46a39ee4aa025988beefe059dad57babe52ba797b85643f4523

Reporting

Research mentioning Arkana

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.