Since June 2021, a relatively new ransomware group called Sabbath has been targeting critical infrastructure in the United States and Canada, including education, health and natural resources.
According to a warning from Mandiant, the group previously operated under the names of Arcane and Eruption and was observed last year deploying the ROLLCOAST ransomware.
In October 2021, the group created the public naming-and-shaming site 54BB47h (Sabbath), one month after a post was discovered where the malware group announced it was looking for partners to launch a new ransomware affiliate program, Mandiant reports.
The Sabbath group came to light last month as it publicly shamed and extorted a school district in the United States, using social media sites Reddit and Twitter. The group demanded a multi-million ransom be paid after ransomware was deployed on the district’s systems.
Another characteristic that makes Sabbath stand out in the crowd is the fact that the ransomware operators were observed on two occasions providing pre-configured Cobalt Strike payloads to their affiliates. While the ransomware deployment is limited in scope, the group steals large amounts of data to leverage for extortion.
The group was observed changing not only its name, logo, and color schemes as part of rebranding efforts, but also making technical changes to the affiliate model. However, the adversary continues to make the same grammatical errors in posts on web forums, and left the Cobalt Strike beacon samples and infrastructure unchanged.
Since July 2021, Mandiant said the group has been using Themida to pack its malware samples and prevent detection. The Cobalt Strike beacon samples the group has been using since June have unique profile elements, the researchers also note.
A deep dive into the ROLLCOAST ransomware found that it was designed to run in memory, that it has only one ordinal export (which helps it avoid detection), and that it checks the system language and exits if one of over 40 languages in its exclusion list is found.
The malware also shows similarities to Tycoon ransomware, such as the use of AES in GCM mode for encryption and an overlap in directories, files, and extensions that are ignored during the encryption process. This suggests that elements from Tycoon were copied during ROLLCOAST’s development process.
“Although UNC2190 is a lesser known and potentially a smaller ransomware affiliate group, it’s smaller size and repeated rebranding has allowed it to avoid much public scrutiny. […] UNC2190 has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering,” Mandiant added.