The cybersecurity landscape witnessed a surge in ransomware activity in late March 2025, with two new threat actors – Arkana Security and Frag – claiming attacks against telecommunications and multinational corporations. According to ASEC Blog’s latest threat report1, these groups have targeted organizations across the United States, Netherlands, and Singapore, signaling an expansion of ransomware operations beyond traditional geographical boundaries.
TL;DR: Key Findings for Security Leaders
- Arkana Security breached a US telecom provider (undisclosed name)
- Frag ransomware hit 27 companies across three continents
- Global ransomware attacks increased 126% in February 20252
- Critical infrastructure remains primary target (energy, healthcare, telecom)
- New triple extortion tactics combining encryption, data leaks, and harassment
Technical Analysis of New Threat Actors
The Arkana Security group employs a customized variant of the Medusa ransomware, which CISA has linked to attacks on over 300 critical infrastructure organizations3. Their attack on the US telecom company involved:
| Indicator | Details |
|---|---|
| Initial Access | Exploited Ivanti vulnerabilities added to KEV catalog)4 |
| Lateral Movement | Abused legitimate RMM tools |
| Encryption | 2048-bit RSA + ChaCha20 hybrid encryption |
Frag ransomware demonstrates more aggressive targeting, with their 27 victims including:
- 14 US-based manufacturing firms
- 9 Dutch financial services providers
- 4 Singaporean healthcare organizations
Broader Threat Landscape Context
These developments coincide with several critical security events in March 2025:
“February 2025 was the worst month in ransomware history with a 126% surge in attacks, dominated by Medusa and Qilin variants” – Digit.fyi2
Notable related incidents include:
- Tata Technologies data leak (1.4TB) by Hunters International5
- Lee Enterprises breach (350GB financial data) by Qilin group6
- Sunflower Medical Group exposure of 220,968 SSNs/medical records7
Defensive Recommendations
For organizations facing these emerging threats, we recommend:
- Patch Management: Prioritize updates for Ivanti, Fortinet, and Chrome vulnerabilities8
- Access Control: Implement strict 2FA for all privileged accounts (CISA Alert AA25-083A)3
- Network Segmentation: Isolate critical systems from general corporate networks
- Threat Hunting: Monitor for these IOCs associated with new ransomware groups
Conclusion
The emergence of Arkana Security and Frag ransomware groups represents an escalation in both the technical sophistication and global reach of cybercriminal operations. With critical infrastructure organizations remaining prime targets, security teams must adopt proactive defense strategies that combine timely patching, robust access controls, and continuous threat monitoring. The integration of AI-powered tools by both attackers and defenders suggests this arms race will only intensify throughout 2025.
References
- ASEC Blog publishes Ransom & Dark Web Issues Week 4, March 2025 [Accessed: March 2025]
- “February 2025 was the worst month in ransomware history” [Accessed: March 2025]
- “CISA Alert AA25-083A: Medusa Ransomware” [Accessed: March 2025]
- “3 Ivanti flaws added to CISA’s vulnerabilities catalogue” [Accessed: March 2025]
- “Tata Technologies data leaked by ransomware gang” [Accessed: March 2025]
- “Qilin ransomware group claims responsibility for Lee Enterprises attack” [Accessed: March 2025]
- “220,968 Americans exposed in Sunflower Medical Group breach” [Accessed: March 2025]
- “Critical Fortinet vulnerability draws fresh attention” [Accessed: March 2025]
