Sarcoma ransomware claims breach at giant PCB maker Unimicron

A relatively new ransomware operation named ‘Sarcoma’ has claimed responsibility for an attack against the Unimicron printed circuit boards (PCB) maker in Taiwan.

The cybercriminals have published samples of files allegedly stolen from the company’s systems during the attack and threaten to leak everything next week if a ransom is not paid.

In a new listing added to Sarcoma’s leak site yesterday, the threat actors claim to be holding 377 GB of SQL files and documents exfiltrated from the Taiwanese company.

Unimicron is a public company manufacturing rigid and flexible PCBs, high-density interconnection (HDI) boards, and integrated circuit (IC) carriers.

The company is one of the largest PCB manufacturers in the world, with plants and service centers in Taiwan, China, Germany, and Japan. Its products are extensively used in LDC monitors, computers, peripherals, and smartphones.

Unimicron disclosed in a bulletin published in the Taiwan Stock Exchange (TWSE) portal that on February 1 it suffered disruption from a ransomware attack.

According to the statement, the incident occurred on January 30 and impacted Unimicron Technology (Shenzhen) Corp., its China-based subsidiary.

The firm said the impact of the attack is limited, and informed it has engaged an external cyber forensic team to conduct incident analysis and help with implementing defense measures.

Unimicron did not confirm a data breach, though. Meanwhile, the samples Sarcoma leaked on its extortion portal appear authentic.

BleepingComputer has reached out to Unimicron to ask for an updated statement addressing Sarcoma’s allegations, but a comment wasn’t immediately available.

Rapid rise to high-volume operations

Sarcoma launched its first attacks on October 2024, and quickly grew to one of the most active and prolific ransomware gangs on the same month, claiming 36 victims.

In November 2024, cybersecurity specialists at CYFIRMA warned: “Sarcoma ransomware is rapidly becoming a significant threat due to its aggressive tactics and increasing victim count.”

In December 2024, operational technology cyber threat intelligence company Dragos listed Sarcoma among the most important emerging threats for industrial organizations worldwide.

A report by RedPiranha shares more details about Sarcoma, explaining that its operators employ phishing emails and n-day vulnerabilities exploitation to gain initial access, while they have also conducted supply chain attacks to pivot from service vendors to their clients.

Post-compromise, Sarcoma engages in RDP exploitation, lateral movement, and data exfiltration.

However, the tools the threat group uses have not been analyzed yet, so although the threat group’s operation indicates experience in the field, its exact origin and tactics haven’t been deciphered yet.

Microsoft: Russia's Sandworm APT Exploits Edge Bugs Globally

DPRK hackers dupe targets into typing PowerShell commands as admin

Free online web security scanner