Arkana Security, a new ransomware gang, has claimed responsibility for an alleged massive breach at WideOpenWest (WoW), the eighth-largest cable operator and an internet service provider (ISP) in the US. Threat researchers at Huston Rock say that infostealer infection has led to the systems’ compromise.
While the company has not yet officially confirmed the breach, detailed information posted by the threat actor and analysis by third-party researchers leaves little doubt.
“We have fully compromised Wide Open West (WOW!), gaining access to highly sensitive customer data and servers,” Arcana posted on a new data leak site on the dark web.
“If you fail to pay, the breach will go public. Your infrastructure is a complete disaster – your security is non-existent. The systems are so poorly protected that it’s clear no real effort has been made to secure anything. It’s a huge failure on your part, and the consequences will be severe.”
The threat actor is also threatening “devastating reputational damage, a massive loss of customer trust,” huge financial repercussions, lawsuits, regulatory fines, etc.
Hackers claim they extracted 403,000 user account details, including sensitive and authentication information: usernames, full names, passwords with salt, security questions and answers, email addresses, firebase authentication details, account status information, login history, various flags, and other settings.
An additional file, “resources_services.csv” allegedly contains 2.2 million records, including names, phones, addresses, and devices.
Hackers bragged they had full backend control and even released a video clip to demonstrate their access to various company systems.
Arkana ransomware group claims to have compromised an Internet Service Provider in California.
undefined vx-underground (@vxunderground) March 25, 2025
They were even nice enough to put together a music video montage illustrating the level of access they possess. pic.twitter.com/3DYHFLaq5H
To further their point, the hackers leaked personal information allegedly belonging to Teresa L. Elder, CEO of WOW, including phone numbers, email addresses, a physical address, and a Social Security number.
The countdown timer leaves WOW over two days to react to the ransom demands at the time of writing.
WideOpenWest (WOW) is a regional internet service provider (ISP) in the US that offers broadband internet, TV, and phone services. WOW primarily operates in the Midwest and Southeast, covering Michigan, Illinois, Indiana, Tennessee, Alabama, Georgia, South Carolina, and Florida.
Cybernews has reached out to WOW for comment and will include its response.
Researchers identified infostealer infection leading to compromise
Hudson Rock researchers traced the origins of the Arkana ransomware attack to an infostealer infection in September 2024.
“This incident underscores the growing threat of infostealers as a precursor to ransomware attacks – and the urgent need for organizations to prioritize infostealer monitoring to prevent such breaches,” the report reads.
They noted three URLs pointing to critical systems used by WOW, including the Symphonica admin panel and AppianCloud infrastructure, both of which are now allegedly under the control of the ransomware group.
“What makes this breach particularly frustrating is its origin: an infostealer infection on an employee’s computer in September 2024,” the researchers claim. “Our investigation reveals that the credentials for all three URLs – wowinc.symphonica.com, wowway.com, and appiancloud.com – were harvested from this infected device.
Infostealers are a type of malware designed to steal credentials, authentication cookies, crypto wallets, and other sensitive data. These can then be sold on the dark web or used directly by threat actors to gain unauthorized access.
Hudson Rock believes that stolen credentials gave Arkana a foothold in the WOW infrastructure, from where they were able to move laterally.
They warn that companies should employ infostealer monitoring and swift response strategies to detect malicious activity early and immediate credential resets upon infection detection.
“The fact that Arkana was able to access and control systems like Symphonica and AppianCloud suggests a lack of multi-factor authentication (MFA) or network segmentation,” the researchers said.
SOCRadar researchers warn WOW customers of an elevated risk of identity theft, financial fraud, and malware infections.
“With access to personal details such as Social Security numbers, credit card information, and more, affected individuals may need to monitor their financial accounts closely and consider additional protective measures like credit monitoring or identity theft protection,” SOCRadar advisory reads.
What is Arkana Security?
Not many details about the group are available. Arkana Security is a newly emerged ransomware group that has claimed two victims, one of them being WOW. Their Onion site hints at operations based on a three-phase model: ransom, sale, and data leak.
At each stage, the gang attempts to coerce businesses into paying for the return of their compromised data.
“At Arkana Security, we force companies to confront their security failures, helping them address vulnerabilities and protect their future before the damage becomes irreversible,” the threat actor claims on its “About and Contact” page.
Arkana used the Russian language in the published video and their website, which suggests Russian origins or affiliations.
Your email address will not be published. Required fields are markedmarked