Discovery Enum
- Advanced IP Scanner
Sarcoma is an emerging ransomware group/ransomware-as-a-service operation first identified in October 2024.
Profile source: Mallory opens in a new tabSarcoma
Sarcoma is an emerging ransomware group/ransomware-as-a-service operation first identified in October 2024. Reporting in the provided content describes it as using a double-extortion model, with data theft followed by threats to leak stolen information and, in some cases, encryption of victim files. Sarcoma has been characterized as specializing in supply-chain attacks and has been observed impacting industrial and manufacturing organizations as well as healthcare-related entities and government-connected third parties.
The group gained attention through attacks including Taiwanese PCB manufacturer Unimicron and the June 2025 intrusion into Zurich-based Swiss health nonprofit Radix. In the Radix incident, Sarcoma affiliates reportedly compromised systems on June 16, 2025, encrypted some files, and later published stolen data on the group’s leak portal after extortion failed. Multiple reports in the content state the leaked Radix data included government-related information because Radix provides services to Swiss federal offices; Swiss authorities said government data may have been affected, though government IT systems were not directly compromised. Sarcoma reportedly claimed to have exfiltrated between 1.3 TB and 2 TB of Radix data, including document scans, financial records, contracts, and communications.
High-confidence reporting in the content states Sarcoma uses phishing, exploitation of older vulnerabilities, and supply-chain compromise for initial access, then leverages RDP for lateral movement. It has also been reported to abuse legitimate remote monitoring and management (RMM) tools for reconnaissance and lateral movement. The group is described as targeting supply chains and causing both data-breach exposure and operational disruption. The content notes Sarcoma had claimed over 100 victims globally, including victims in the United States, Italy, and Canada, and was active enough in 2025 to be listed among notable ransomware groups tracked on leak sites.
Ransomware.live
Reported operators
"Radix ... said that Sarcoma ransomware affiliates compromised its systems on June 16."
MITRE ATT&CK
Reporting
Sarcoma ransomware group emerged in late 2024 and quickly launched aggressive double-extortion campaigns worldwide; Sarcoma’s fast-growing victim list and use of sophisticated techniques, including reported zero-day exploits, make it a serious cyber threat.
“Sarcoma… continuing its double-extortion model… notably impacting electronics manufacturing supply chains.”
The Sarcoma group is a ransomware group that first appeared in October 2024 and gained attention by targeting the Swiss government and Taiwanese PCB manufacturer Unimicron.
...followed by Inc Ransom, Dragonforce, Nightspire, Hunters and Sarcoma.
...followed by Inc Ransom, Dragonforce, Nightspire, Hunters and Sarcoma.
Sarcoma ransomware has rapidly established itself as a significant threat actor since first being identified in October 2024. Despite its recent emergence, the group has gained attention for executing aggressive and high-impact attacks, often resulting in major data breaches and operational disruption.
Zurich-based health nonprofit Radix disclosed Monday a ransomware attack by the Sarcoma group, with stolen files published on the darkweb, included government data. Sarcoma uses double extortion and has claimed over 100 victims globally, including in the United States, Italy and Canada.
"The Swiss nonprofit health organization Radix has confirmed that its systems were breached by a ransomware group earlier this month... the threat actor known as Sarcoma had published data stolen from its systems on a leak site."
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.