Ransomware group Sarcoma claims attack on Taiwanese PCB manufacturer Unimicron

Taiwanese printed circuit board (PCB) manufacturer Unimicron has become the latest target of the ransomware group Sarcoma, which has claimed responsibility for an attack against the company. The cybercriminals allege they have exfiltrated 377 GB of SQL files and sensitive documents from Unimicron’s systems and have threatened to leak the stolen data next week if their ransom demands are not met.

Sarcoma’s claim was published on its leak site yesterday, alongside samples of files purportedly stolen during the cyberattack. While Unimicron has acknowledged a ransomware incident in a filing with the Taiwan Stock Exchange (TWSE), it has not confirmed a data breach or commented on Sarcoma’s allegations.

Unimicron, a publicly traded company, is a leading manufacturer of rigid and flexible PCBs, high-density interconnection (HDI) boards, and integrated circuit (IC) carriers. With operations spanning Taiwan, China, Germany, and Japan, its products are widely used in LCD monitors, computers, peripherals, and smartphones.

In its disclosure, Unimicron stated that the attack occurred on January 30 and impacted its China-based subsidiary, Unimicron Technology (Shenzhen) Corp. The company described the disruption as limited and confirmed it had engaged an external cybersecurity forensic team to analyze the incident and strengthen its defenses. However, it did not specify the extent of data exposure or financial impact.

Cybersecurity analysts have flagged Sarcoma as a rapidly emerging ransomware threat. The group surfaced in October 2024 and quickly escalated its operations, claiming 36 victims within its first month. Cybersecurity firm CYFIRMA identified Sarcoma as a growing threat in November 2024, warning of its aggressive tactics. By December 2024, industrial cybersecurity intelligence firm Dragos listed Sarcoma among the most significant emerging threats to industrial organizations worldwide.

According to research by cybersecurity firm RedPiranha, Sarcoma operators primarily use phishing emails and exploit known vulnerabilities to gain initial access. They have also been linked to supply chain attacks, enabling them to pivot from service vendors to clients. Following a breach, Sarcoma employs remote desktop protocol (RDP) exploitation, lateral movement, and data exfiltration techniques. However, the exact tools and origins of the ransomware group remain undetermined.