Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

‘Sabbath’ Ransomware Operators Target Critical Infrastructure

Since June 2021, a relatively new ransomware group called Sabbath has been targeting critical infrastructure in the United States and Canada, including education, health and natural resources.

Since June 2021, a relatively new ransomware group called Sabbath has been targeting critical infrastructure in the United States and Canada, including education, health and natural resources.

According to a warning from Mandiant, the group previously operated under the names of Arcane and Eruption and was observed last year deploying the ROLLCOAST ransomware.

In October 2021, the group created the public naming-and-shaming site 54BB47h (Sabbath), one month after a post was discovered where the malware group announced it was looking for partners to launch a new ransomware affiliate program, Mandiant reports.

The Sabbath group came to light last month as it publicly shamed and extorted a school district in the United States, using social media sites Reddit and Twitter. The group demanded a multi-million ransom be paid after ransomware was deployed on the district’s systems.

Another characteristic that makes Sabbath stand out in the crowd is the fact that the ransomware operators were observed on two occasions providing pre-configured Cobalt Strike payloads to their affiliates. While the ransomware deployment is limited in scope, the group steals large amounts of data to leverage for extortion.

The group was observed changing not only its name, logo, and color schemes as part of rebranding efforts, but also making technical changes to the affiliate model. However, the adversary continues to make the same grammatical errors in posts on web forums, and left the Cobalt Strike beacon samples and infrastructure unchanged.

[ READ: Nations Vow to Combat Ransomware at U.S.-Led Summit ]

Since July 2021, Mandiant said the group has been using Themida to pack its malware samples and prevent detection. The Cobalt Strike beacon samples the group has been using since June have unique profile elements, the researchers also note.

A deep dive into the ROLLCOAST ransomware found that it was designed to run in memory, that it has only one ordinal export (which helps it avoid detection), and that it checks the system language and exits if one of over 40 languages in its exclusion list is found.

The malware also shows similarities to Tycoon ransomware, such as the use of AES in GCM mode for encryption and an overlap in directories, files, and extensions that are ignored during the encryption process. This suggests that elements from Tycoon were copied during ROLLCOAST’s development process.

“Although UNC2190 is a lesser known and potentially a smaller ransomware affiliate group, it’s smaller size and repeated rebranding has allowed it to avoid much public scrutiny. […] UNC2190 has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering,” Mandiant added.

Related: Nations Vow to Combat Ransomware at US-Led Summit

Related: Ransomware Hit SCADA Systems at 3 Water Facilities in U.S.

Related: FBI Warns Ransomware Attack Could Disrupt Food Supply Chain

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.