Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

‘Sabbath’ Ransomware Operators Target Critical Infrastructure

Since June 2021, a relatively new ransomware group called Sabbath has been targeting critical infrastructure in the United States and Canada, including education, health and natural resources.

Since June 2021, a relatively new ransomware group called Sabbath has been targeting critical infrastructure in the United States and Canada, including education, health and natural resources.

According to a warning from Mandiant, the group previously operated under the names of Arcane and Eruption and was observed last year deploying the ROLLCOAST ransomware.

In October 2021, the group created the public naming-and-shaming site 54BB47h (Sabbath), one month after a post was discovered where the malware group announced it was looking for partners to launch a new ransomware affiliate program, Mandiant reports.

The Sabbath group came to light last month as it publicly shamed and extorted a school district in the United States, using social media sites Reddit and Twitter. The group demanded a multi-million ransom be paid after ransomware was deployed on the district’s systems.

Another characteristic that makes Sabbath stand out in the crowd is the fact that the ransomware operators were observed on two occasions providing pre-configured Cobalt Strike payloads to their affiliates. While the ransomware deployment is limited in scope, the group steals large amounts of data to leverage for extortion.

The group was observed changing not only its name, logo, and color schemes as part of rebranding efforts, but also making technical changes to the affiliate model. However, the adversary continues to make the same grammatical errors in posts on web forums, and left the Cobalt Strike beacon samples and infrastructure unchanged.

[ READ: Nations Vow to Combat Ransomware at U.S.-Led Summit ]

Since July 2021, Mandiant said the group has been using Themida to pack its malware samples and prevent detection. The Cobalt Strike beacon samples the group has been using since June have unique profile elements, the researchers also note.

Advertisement. Scroll to continue reading.

A deep dive into the ROLLCOAST ransomware found that it was designed to run in memory, that it has only one ordinal export (which helps it avoid detection), and that it checks the system language and exits if one of over 40 languages in its exclusion list is found.

The malware also shows similarities to Tycoon ransomware, such as the use of AES in GCM mode for encryption and an overlap in directories, files, and extensions that are ignored during the encryption process. This suggests that elements from Tycoon were copied during ROLLCOAST’s development process.

“Although UNC2190 is a lesser known and potentially a smaller ransomware affiliate group, it’s smaller size and repeated rebranding has allowed it to avoid much public scrutiny. […] UNC2190 has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering,” Mandiant added.

Related: Nations Vow to Combat Ransomware at US-Led Summit

Related: Ransomware Hit SCADA Systems at 3 Water Facilities in U.S.

Related: FBI Warns Ransomware Attack Could Disrupt Food Supply Chain

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...