Arkana

Arkana is a ransomware group/family identified in 2025 as part of a highly fragmented ransomware ecosystem composed of many short-lived operations. The provided reporting places Arkana among newly emerged ransomware groups and notes it accounted for 1 incident in the cited industrial-sector reporting. Arkana is described alongside groups such as RansomHub, CrazyHunter, and NightSpire as establishing operations using reused codebases and recycled infrastructure, indicating limited technical novelty and likely dependence on shared tooling and access ecosystems rather than unique malware development. More broadly, the source material characterizes these 2025-era groups as commonly operating under a Ransomware-as-a-Service model, frequently relying on identity-based compromise for initial access, including stolen VPN credentials, MFA fatigue, session token hijacking, and OAuth abuse; secondary access via exploited VPN/firewall edge infrastructure; phishing and SaaS abuse such as HTML smuggling and fake login portals; and cloud/SaaS misconfigurations including over-permissioned IAM roles and exposed API tokens. The same reporting states that such groups often used lightweight, minimally obfuscated or open-source malware, and that data theft and extortion frequently replaced or preceded encryption. Targets were primarily small and mid-sized enterprises, organizations with cyber insurance, and cloud-first environments with weak identity governance; industrial entities were also affected in the cited Dragos reporting. No specific Arkana-exclusive indicators of compromise, malware capabilities, victimology, or threat actor attribution beyond these ecosystem-level characteristics are provided in the content.