Connect with us

Hi, what are you looking for?


Application Security

‘Sabbath’ Ransomware Operators Target Critical Infrastructure

Since June 2021, a relatively new ransomware group called Sabbath has been targeting critical infrastructure in the United States and Canada, including education, health and natural resources.

Since June 2021, a relatively new ransomware group called Sabbath has been targeting critical infrastructure in the United States and Canada, including education, health and natural resources.

According to a warning from Mandiant, the group previously operated under the names of Arcane and Eruption and was observed last year deploying the ROLLCOAST ransomware.

In October 2021, the group created the public naming-and-shaming site 54BB47h (Sabbath), one month after a post was discovered where the malware group announced it was looking for partners to launch a new ransomware affiliate program, Mandiant reports.

The Sabbath group came to light last month as it publicly shamed and extorted a school district in the United States, using social media sites Reddit and Twitter. The group demanded a multi-million ransom be paid after ransomware was deployed on the district’s systems.

Another characteristic that makes Sabbath stand out in the crowd is the fact that the ransomware operators were observed on two occasions providing pre-configured Cobalt Strike payloads to their affiliates. While the ransomware deployment is limited in scope, the group steals large amounts of data to leverage for extortion.

The group was observed changing not only its name, logo, and color schemes as part of rebranding efforts, but also making technical changes to the affiliate model. However, the adversary continues to make the same grammatical errors in posts on web forums, and left the Cobalt Strike beacon samples and infrastructure unchanged.

[ READ: Nations Vow to Combat Ransomware at U.S.-Led Summit ]

Advertisement. Scroll to continue reading.

Since July 2021, Mandiant said the group has been using Themida to pack its malware samples and prevent detection. The Cobalt Strike beacon samples the group has been using since June have unique profile elements, the researchers also note.

A deep dive into the ROLLCOAST ransomware found that it was designed to run in memory, that it has only one ordinal export (which helps it avoid detection), and that it checks the system language and exits if one of over 40 languages in its exclusion list is found.

The malware also shows similarities to Tycoon ransomware, such as the use of AES in GCM mode for encryption and an overlap in directories, files, and extensions that are ignored during the encryption process. This suggests that elements from Tycoon were copied during ROLLCOAST’s development process.

“Although UNC2190 is a lesser known and potentially a smaller ransomware affiliate group, it’s smaller size and repeated rebranding has allowed it to avoid much public scrutiny. […] UNC2190 has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering,” Mandiant added.

Related: Nations Vow to Combat Ransomware at US-Led Summit

Related: Ransomware Hit SCADA Systems at 3 Water Facilities in U.S.

Related: FBI Warns Ransomware Attack Could Disrupt Food Supply Chain

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...