2.2 Million Customer Records Allegedly Stolen by Arkana Ransomware Group

A new ransomware group called Arkana has emerged as a significant cybersecurity threat in 2025, making headlines with a devastating attack on WideOpenWest (WOW!), a major U.S. internet service provider.

The cybercriminals claim to have stolen massive customer databases containing approximately 403,000 and 2.2 million customer records, while simultaneously gaining control of critical backend systems including WOW!’s AppianCloud and Symphonica platforms.

The attack, which occurred in late March 2025, marks Arkana’s debut as a formidable player in the ransomware landscape.

Growing Threat Through Qilin Network Affiliation

Security researchers have identified concerning connections between Arkana and the Qilin Network, a sophisticated Ransomware-as-a-Service (RaaS) platform operated by Qilin Ransomware, currently one of 2025’s most active cybercrime operations.

Evidence of this relationship appears on Arkana’s dark web site, where the “About & Contact” section prominently displays the Qilin Network logo, suggesting shared infrastructure or formal partnership arrangements.

The group operates a Data Leak Site (DLS) branded as “Arkana Security,” attempting to legitimize their operations by presenting themselves as a “post-penetration testing” service.

However, this facade merely covers their extortion tactics, which include maintaining a “Wall of Shame” featuring stolen data samples and personal information about company executives.

Messages from the group often contain Russian-language Cyrillic text, indicating likely Russian-speaking origins.

Arkana’s operational methodology focuses heavily on credential theft as their primary attack vector.

Once valid login credentials are obtained, typically through malware-infected staff computers, the group conducts lateral movement using tools such as PsExec, Citrix, and AnyDesk remote access software.

This approach allows them to systematically explore victim networks and extract valuable information, particularly customer databases and administrative credentials.

Expanding Target Profile and Future Implications

Statistical analysis reveals that 66.7% of Arkana’s victims are located in the United States, with 33.3% in the United Kingdom.

The group demonstrates sector diversity, targeting gambling, consumer services, energy, technology, financial services, and telecommunications industries equally.

Recent activities show an evolution in their business model, including attempts to resell third-party stolen data, such as 569 GB of Ticketmaster information originally stolen by ShinyHunters.

The potential integration with Qilin’s infrastructure represents a significant escalation in Arkana’s capabilities.

Qilin provides affiliates with custom ransomware payloads built in Rust or Go programming languages, offering adjustable encryption methods, file extensions, and ransom notes in exchange for 15-20% commission rates.

This partnership could transform Arkana from a data extortion group into a full-scale ransomware operation, combining their psychological pressure tactics with actual file encryption capabilities, substantially increasing the threat level to potential victims across multiple industries.