Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Arcus Media ransomware recovery team on standby
Arcus Media emerged in May 2024 as a Brazilian-origin RaaS group focusing on Latin American organisations, combining selective encryption with data-extortion pressure via a Portuguese-language leak site. Isolate affected systems immediately and contact UnderDefense — do not attempt containment or negotiation alone.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a Arcus Media attack can make a huge difference and help you make a full recovery. Request 24/7 Arcus Media ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
Arcus Media employs selective encryption strategy: files smaller than 2MB are fully encrypted, while larger files (>2MB) are only partially encrypted (first and last 1MB). This optimization reduces encryption time, enabling rapid deployment across large file systems while maintaining encryption appearance.
Unlike generic file extensions, Arcus appends victim-specific identifiers to encrypted files: [filename].[victim_ID].[attacker_email].Arcus. This enables gang-side tracking of victim infections, ransom payment status, and facilitates targeted re-exploitation of non-paying victims.
Arcus uses the OpenSSL library for encryption, employing the Chacha20 cipher for file encryption combined with RSA key wrapping. The reliance on standard OpenSSL suggests code reuse or adaptation from earlier ransomware variants.
Arcus specifically targets Latin American organizations (Brazil, Colombia, Argentina), suggesting language expertise, familiarity with regional banking systems, and lower law enforcement capacity for investigation compared to North American targets.
Ransom notes include popup windows demanding payment in addition to text files, increasing user awareness of encryption and amplifying organizational pressure compared to silent encryption.
No legitimate public decryptor exists. Chacha20 combined with RSA encryption is cryptographically secure. Recovery requires offline backups or ransom payment. Law enforcement coordination with Brazilian authorities may enable C2 infrastructure disruption, though ransomware key recovery is uncommon.
Search for [filename].[ID].[email].Arcus file extensions across affected systems. Ransom notes named Arcus-ReadMe.txt and popup windows provide victim indicators. Monitor for OpenSSL process execution with unusual Chacha20 cipher operations. Monitor for Mimikatz execution and RDP/lateral movement patterns.
File Extensions
[filename].[ID].[email].Arcus (example: document.txt.[9ECFA84E-3537].[[email protected]].Arcus)
Ransom Note Filenames
Arcus-ReadMe.txt, info.txt (Phobos variant), popup window notification with similar content
Arcus Media Hashes
SHA256 hashes vary per affiliate and compilation. Known Phobos variant samples are documented in threat intelligence. Signature-based detection is unreliable; behavioral analysis required.
Arcus Media Tools
Reconnaissance: Network enumeration, system inventory
Credential Dumping: Mimikatz for elevated privilege access
Lateral Movement: RDP, Cobalt Strike, SMB administrative shares
Persistence: Scheduled tasks, registry modifications
Data Exfiltration: Rclone, legitimate cloud storage
Encryption: OpenSSL Chacha20 implementation
Evasion: Process suspension, recovery mechanism disabling (shadow copy deletion, boot option disabling)
Most Common Red Flag
Files with [ID].[email].Arcus extension appearing across infected systems, combined with Arcus-ReadMe.txt ransom notes, Mimikatz execution artifacts, RDP connection logs from Brazilian IP addresses, and disabled recovery options (shadow copies deleted, boot repair disabled).
Attack vector | % of Arcus incidents | Notes |
Compromised RDP Credentials | 50% | Credentials from breach databases; weak password brute force |
Phishing with Malware | 30% | Credential stealer attachments, reverse shell delivery |
Unpatched Applications | 12% | RCE in web applications, content management systems |
Supply Chain/IAB Access | 8% | Initial Access Broker credential or third-party compromise |
A Brazilian manufacturing firm refused payment; Arcus leaked proprietary manufacturing processes and customer lists on dark web, triggering supply chain disruption. A financial services organization paid ransom; data was later discovered on multiple dark web forums despite gang promises. A healthcare organization coordinated with law enforcement; partial infrastructure disruption of Arcus C2 delayed re-infection, enabling partial recovery.
Isolate all systems with [ID].[email].Arcus extensions from network immediately. Scan for and delete Arcus-ReadMe.txt ransom notes and popup windows. Disable and remove Mimikatz artifacts and persistence mechanisms (scheduled tasks, registry modifications). Restore from verified offline backups. Monitor for re-infection attempts for 6+ months; re-infection via compromised credentials is common.
Complete recovery from offline backups is required. Assume all credentials compromised; force password reset network-wide with MFA enforcement. Restore systems from verified clean snapshots, testing for malware before production use. Implement network segmentation to isolate critical data. Monitor RDP and credential usage for unusual patterns for 6+ months. Engage law enforcement and negotiation specialist.
Arcus Media demands range from $100,000 to $2,000,000 depending on victim organization size and data sensitivity. Latin American and Philippines targets typically receive lower demands ($300K average) compared to North American targets ($800K+ average). Negotiation is possible; reported settlement rates are 40-60% of initial demand.
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help NowArcus Media is a double-extortion ransomware group that emerged in May 2024, based in Brazil and targeting Latin American organizations primarily, with secondary focus on the Philippines and North America. The gang uses selective encryption (small files encrypted fully, large files partially encrypted) and victim-specific file extensions ([filename].[ID].[attacker_email].Arcus) enabling gang-side victim tracking. Ransom notes are named Arcus-ReadMe.txt with popup windows, and the group operates a public leak site threatening data release within 7-14 days.
Attribution indicates Brazilian-origin operations based on infrastructure patterns, targeting focus on Latin American organizations, and language expertise in Spanish and Portuguese. The group maintains infrastructure in South American hosting providers and demonstrates familiarity with regional banking and payment systems. No definitive nation-state affiliation; group appears financially motivated.
Arcus Media gains initial access through compromised RDP credentials (obtained from breach databases or password brute force), phishing campaigns delivering credential-stealing malware, or exploitation of unpatched web applications. Operators establish persistence, conduct reconnaissance using network enumeration, exfiltrate sensitive data via rclone to cloud storage, and deploy the OpenSSL Chacha20-based ransomware encryptor. The selective encryption strategy optimizes encryption speed for rapid deployment.
From initial credential compromise to encryption deployment, Arcus Media attacks average 3-7 days of dwell time for reconnaissance and data exfiltration. The selective encryption strategy enables rapid encryption—a 500GB datastore can be encrypted within 4-8 hours depending on storage performance, reducing detection opportunity.
No legitimate public decryptor exists. Chacha20 combined with RSA encryption is cryptographically secure. Some victims who paid ransom report keys were provided and partially functional, recovering 70-90% of files. Recovery without ransom requires offline backups or law enforcement key recovery from seized Brazilian infrastructure.
All files encrypted with [ID].[email].Arcus extensions become inaccessible. Popup windows and ransom notes appear demanding payment, and the gang publishes victim names and sample data on their leak site threatening complete data release within 7-14 days. For Latin American organizations, regulatory obligations for breach notification under local data protection laws trigger fines and investigations. Manufacturing targets face supply chain disruption.
Implement multi-factor authentication on all RDP and remote access endpoints. Assume credentials from breach databases are compromised; rotate passwords quarterly. Disable or restrict internet-facing RDP; use jump hosts instead. Monitor for RDP brute force attempts; implement account lockout policies. Implement email filtering to block credential-stealing attachments. Maintain offline, immutable backups tested quarterly. Conduct regular vulnerability assessments on publicly exposed applications.
– Enforce MFA on all RDP, SSH, VPN, and administrative accounts
– Disable or restrict internet-facing RDP; use VPN with jump hosts instead
– Monitor for RDP brute force attempts; implement account lockout policies (5 failures = 30-minute lockout)
– Implement email filtering to block credential-stealing attachments
– Patch all publicly exposed web applications within 48 hours of CVE notification
– Maintain offline, encrypted backup copies tested quarterly
– Monitor for Mimikatz execution; implement application allowlist restricting Mimikatz use
– Implement network segmentation to isolate critical data
– Deploy EDR with detection rules for Chacha20 encryption operations
– Monitor for suspicious RDP connections from Brazilian IP addresses; block if not required
Selective encryption serves multiple operational advantages:
1) Reduces encryption time from days to hours, minimizing detection window
2) Reduces I/O load on infected systems, enabling continued normal operations (hiding infection)
3) Maintains data accessibility perception (partial files readable) while still preventing full recovery
4) Enables faster victim re-encryption if ransom negotiation fails
Arcus Media’s victim-specific file extension format ([ID].[email].Arcus) enables gang-side tracking of which victims have paid, which haven’t, and facilitates re-targeting of non-payers. The selective encryption strategy is more sophisticated than typical ransomware, suggesting technical maturity. The Brazilian origin and Latin American focus represent geographic specialization uncommon in global ransomware ecosystem.