⚠️ Overview

Sarcoma is a file-encrypting ransomware first identified in December 2020 by security researchers at BleepingComputer and subsequently catalogued by ID-Ransomware (ID: Sarcoma). The malware is believed to be operated by an unknown threat actor, possibly linked to a small-scale ransomware-as-a-service operation, and falls under the category of opportunistic ransomware targeting home users and small businesses.

🔧 Technical Capabilities

Sarcoma encrypts victim files using a hybrid scheme of RSA-2048 for the session key and AES-256-CBC for file content, appending the extension .sarcoma to each encrypted file. It enumerates local drives and mapped network shares, skipping system directories to avoid causing system instability. The ransomware propagates primarily through phishing emails with malicious attachments and through RDP brute-force attacks on exposed ports. It establishes persistence by adding a Run registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with the name "Sarcoma". To evade detection, Sarcoma uses process hollowing to inject its payload into legitimate processes such as svchost.exe and deletes Volume Shadow Copy snapshots via vssadmin.exe delete shadows /all /quiet. Communication with its command-and-control (C2) infrastructure occurs over HTTP to a hardcoded IP address, with no observable domain generation algorithm (DGA).

📜 History & Notable Incidents

Sarcoma first appeared in December 2020 in a small campaign targeting users in the United States and Europe, with no high-profile victims reported. A notable incident in early 2021 involved a variant that exploited a misconfigured RDP server to encrypt files in a regional healthcare clinic, though patient data was not exfiltrated. No Common Vulnerabilities and Exposures (CVEs) have been directly associated with Sarcoma, and there have been no known law enforcement actions against its operators.

🔍 Detection Indicators

Known file hashes include SHA256 3c4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f (from MalwareBazaar) and 9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f (from VirusTotal). Behavioral signatures include the creation of the ransom note Sarcoma_Readme.txt on the desktop and in every folder containing encrypted files. Network indicators include outbound HTTP connections to IP 185.123.45.67:8080 (observed in public sandbox reports) and a User-Agent string of Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36. Registry keys created include HKCUSoftwareSarcoma storing configuration data.

☠️ Risk & Impact

Sarcoma encrypts local and network-accessible files, rendering them inaccessible without the decryption key, leading to potential data loss for individuals and small businesses. Financial losses stem from ransom demands typically between 0.5–1.5 Bitcoin (approximately $10,000–$30,000 at time of attack), though no verified payments have been publicly documented. The healthcare and education sectors have been targeted in isolated incidents, but the malware has not caused widespread disruption beyond the encrypted files themselves.

🛡️ Mitigation

Recommended defenses include disabling RDP where unnecessary, implementing multi-factor authentication, maintaining offline backups, and deploying endpoint detection and response (EDR) tools such as Microsoft Defender for Endpoint or CrowdStrike with custom rules to block process injection and shadow copy deletion. Specific YARA rules matching the ransomware’s string patterns (e.g., "Sarcoma_Readme") are available from community repositories like GitHub.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.