Skip to content
Ransomware group

Sarcoma

Sarcoma is an emerging ransomware group/ransomware-as-a-service operation first identified in October 2024.

Profile source: Mallory opens in a new tab

Sarcoma

Family profile

Sarcoma is an emerging ransomware group/ransomware-as-a-service operation first identified in October 2024. Reporting in the provided content describes it as using a double-extortion model, with data theft followed by threats to leak stolen information and, in some cases, encryption of victim files. Sarcoma has been characterized as specializing in supply-chain attacks and has been observed impacting industrial and manufacturing organizations as well as healthcare-related entities and government-connected third parties.

The group gained attention through attacks including Taiwanese PCB manufacturer Unimicron and the June 2025 intrusion into Zurich-based Swiss health nonprofit Radix. In the Radix incident, Sarcoma affiliates reportedly compromised systems on June 16, 2025, encrypted some files, and later published stolen data on the group’s leak portal after extortion failed. Multiple reports in the content state the leaked Radix data included government-related information because Radix provides services to Swiss federal offices; Swiss authorities said government data may have been affected, though government IT systems were not directly compromised. Sarcoma reportedly claimed to have exfiltrated between 1.3 TB and 2 TB of Radix data, including document scans, financial records, contracts, and communications.

High-confidence reporting in the content states Sarcoma uses phishing, exploitation of older vulnerabilities, and supply-chain compromise for initial access, then leverages RDP for lateral movement. It has also been reported to abuse legitimate remote monitoring and management (RMM) tools for reconnaissance and lateral movement. The group is described as targeting supply chains and causing both data-breach exposure and operational disruption. The content notes Sarcoma had claimed over 100 victims globally, including victims in the United States, Italy, and Canada, and was active enough in 2025 to be listed among notable ransomware groups tracked on leak sites.

Ransomware.live

Operational record

View group record ↗

Discovery Enum

  • Advanced IP Scanner

Reported operators

Threat actors

1 named in public reporting
Sarcoma

"Radix ... said that Sarcoma ransomware affiliates compromised its systems on June 16."

MITRE ATT&CK

Sarcoma in ATT&CK

24 distinct techniques

Reporting

Research mentioning Sarcoma

Nov 18
Socradar

Dark Web Profile: Sarcoma Ransomware

Sarcoma ransomware group emerged in late 2024 and quickly launched aggressive double-extortion campaigns worldwide; Sarcoma’s fast-growing victim list and use of sophisticated techniques, including reported zero-day exploits, make it a serious cyber threat.

Aug 14
Dragos

OT Ransomware Trends: Q2 2025 Analysis & Insights | Dragos

“Sarcoma… continuing its double-extortion model… notably impacting electronics manufacturing supply chains.”

Aug 13
Medium S2wblog

Ransomware Landscape in H1 2025: Statistics and Key Issues | by S2W | S2W BLOG | Medium

The Sarcoma group is a ransomware group that first appeared in October 2024 and gained attention by targeting the Swiss government and Taiwanese PCB manufacturer Unimicron.

Aug 13
Bank Info Security

Embargo Ransomware Group Tied to $34M in Ransom Profits

...followed by Inc Ransom, Dragonforce, Nightspire, Hunters and Sarcoma.

Aug 13
Govinfosecurity

Embargo Ransomware Group Tied to $34M in Ransom Profits

...followed by Inc Ransom, Dragonforce, Nightspire, Hunters and Sarcoma.

Aug 4
Halcyon Attacks News

Power Rankings: Ransomware Malicious Quartile Q2-2025

Sarcoma ransomware has rapidly established itself as a significant threat actor since first being identified in October 2024. Despite its recent emergence, the group has gained attention for executing aggressive and high-impact attacks, often resulting in major data breaches and operational disruption.

Jul 3
Bank Info Security

Breach Roundup: Phony Chinese Sites Mimic Retail Brands

Zurich-based health nonprofit Radix disclosed Monday a ransomware attack by the Sarcoma group, with stolen files published on the darkweb, included government data. Sarcoma uses double extortion and has claimed over 100 victims globally, including in the United States, Italy and Canada.

Jun 30
The Record Media

Swiss nonprofit health organization breached by Sarcoma ransomware group

"The Swiss nonprofit health organization Radix has confirmed that its systems were breached by a ransomware group earlier this month... the threat actor known as Sarcoma had published data stolen from its systems on a leak site."

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.