Arkana ransomware group has claimed responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers.
The attack, traced back to a September 2024 infection, reportedly exposed over 403,000 customer accounts and compromised backend systems critical to WOW!’s operations.
Founded in 1996 and headquartered in Denver, WideOpenWest is the eighth-largest cable operator in the United States. The company serves approximately 538,000 subscribers across ten states, offering broadband internet, digital television, and VoIP services. Its network infrastructure spans 1.9 million homes and businesses, making it a significant target in terms of both scale and customer impact.
The breach was first brought to public attention by vx-underground on X (formerly Twitter), who shared a bizarre music video montage created by the threat actors themselves. The video showcased Arkana’s access to three critical WideOpenWest systems: wowinc.symphonica.com, wowway.com, and appiancloud.com. These URLs point to internal administrative panels and cloud-based business infrastructure that the group claims to have under its control. The stolen data, along with the systems themselves, are now being used in an active extortion attempt.
Arkana ransomware group claims to have compromised an Internet Service Provider in California.
— vx-underground (@vxunderground) March 25, 2025
They were even nice enough to put together a music video montage illustrating the level of access they possess. pic.twitter.com/3DYHFLaq5H
The incident was analyzed by Hudson Rock, whose researchers linked the breach to an infostealer infection that occurred in September 2024. Using their Cavalier intelligence platform, they traced the stolen credentials to a compromised employee workstation. The stolen authentication data enabled the group to bypass access controls, move laterally within the network, and seize administrative access to WOW!’s customer management systems.
Arkana’s extortion message, posted on their darknet leak site, delivers a stark ultimatum: pay a “generous fee” disguised as a “penetration test and security audit,” or face public exposure of the breach. The group’s message accuses WOW! of operating with “non-existent” security and threatens consequences ranging from reputational damage to regulatory penalties under GDPR and CCPA. The group further claims the ability to push malware to WOW! customers, raising concerns about secondary infections and further downstream exploitation.
The attack illustrates a disturbing trend in ransomware operations where infostealer infections serve as the initial foothold for full-scale ransomware intrusions. Infostealers harvest login credentials, browser cookies, and session tokens, which are later sold on dark web markets or directly weaponized by ransomware groups like Arkana. In this case, stolen credentials for WOW!’s Symphonica admin panel and AppianCloud platform facilitated unfettered access to internal systems.
Hudson Rock’s report emphasizes that WOW! failed to act on early warning signs to stop what they claim was a perfectly preventable breach. Had the infostealer infection been detected promptly, steps such as resetting credentials, enforcing multi-factor authentication (MFA), and segmenting internal networks could have significantly limited the attacker’s access.
WoW is saying this is a hoax.