Cyber Threat Actor: Sarcoma

Sarcoma operates as a ransomware threat actor, employing data exfiltration and encryption to pressure victims into meeting financial demands. The group gained public recognition following a June 2025 cyberattack against Radix, a Swiss health sector non-profit organization. During this incident, Sarcoma compromised systems to steal sensitive information before deploying ransomware, threatening to release stolen data unless payment was made. The targeted organization mitigated the attack by revoking access to compromised infrastructure and activating unaffected backups, though damage assessments indicated substantial operational impact. Swiss cybersecurity authorities were notified, but investigations into Sarcoma's initial access methods remained unresolved as of the latest reporting.

This actor has demonstrated a specific interest in healthcare-related entities, with its sole publicly documented operation focusing on a Swiss non-profit. The group's strategic objective centers on financial extortion through dual mechanisms of data exposure threats and system encryption. While Sarcoma's attack against Radix confirms capabilities in data exfiltration and ransomware deployment, technical specifics regarding malware variants, persistence mechanisms, or tooling preferences remain undocumented in available sources. No verifiable information exists regarding the group's geographic base, organizational structure, or potential affiliations with state or criminal entities. The Swiss healthcare incident stands as Sarcoma's only publicly attributed operation to date, illustrating a pattern of targeting organizations where potential data sensitivity could increase leverage in extortion attempts.