Watch on Demand: Attack Surface Management Summit | All Sessions Now Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

‘Sabbath’ Ransomware Operators Target Critical Infrastructure

Since June 2021, a relatively new ransomware group called Sabbath has been targeting critical infrastructure in the United States and Canada, including education, health and natural resources.

Since June 2021, a relatively new ransomware group called Sabbath has been targeting critical infrastructure in the United States and Canada, including education, health and natural resources.

According to a warning from Mandiant, the group previously operated under the names of Arcane and Eruption and was observed last year deploying the ROLLCOAST ransomware.

In October 2021, the group created the public naming-and-shaming site 54BB47h (Sabbath), one month after a post was discovered where the malware group announced it was looking for partners to launch a new ransomware affiliate program, Mandiant reports.

The Sabbath group came to light last month as it publicly shamed and extorted a school district in the United States, using social media sites Reddit and Twitter. The group demanded a multi-million ransom be paid after ransomware was deployed on the district’s systems.

Another characteristic that makes Sabbath stand out in the crowd is the fact that the ransomware operators were observed on two occasions providing pre-configured Cobalt Strike payloads to their affiliates. While the ransomware deployment is limited in scope, the group steals large amounts of data to leverage for extortion.

The group was observed changing not only its name, logo, and color schemes as part of rebranding efforts, but also making technical changes to the affiliate model. However, the adversary continues to make the same grammatical errors in posts on web forums, and left the Cobalt Strike beacon samples and infrastructure unchanged.

[ READ: Nations Vow to Combat Ransomware at U.S.-Led Summit ]

Since July 2021, Mandiant said the group has been using Themida to pack its malware samples and prevent detection. The Cobalt Strike beacon samples the group has been using since June have unique profile elements, the researchers also note.

Advertisement. Scroll to continue reading.

A deep dive into the ROLLCOAST ransomware found that it was designed to run in memory, that it has only one ordinal export (which helps it avoid detection), and that it checks the system language and exits if one of over 40 languages in its exclusion list is found.

The malware also shows similarities to Tycoon ransomware, such as the use of AES in GCM mode for encryption and an overlap in directories, files, and extensions that are ignored during the encryption process. This suggests that elements from Tycoon were copied during ROLLCOAST’s development process.

“Although UNC2190 is a lesser known and potentially a smaller ransomware affiliate group, it’s smaller size and repeated rebranding has allowed it to avoid much public scrutiny. […] UNC2190 has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering,” Mandiant added.

Related: Nations Vow to Combat Ransomware at US-Led Summit

Related: Ransomware Hit SCADA Systems at 3 Water Facilities in U.S.

Related: FBI Warns Ransomware Attack Could Disrupt Food Supply Chain

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Bob Turner has been named CISO at Penn State University.

V2X has appointed Christopher Carter as CISO.

Andrew McLaughlin has been appointed Chief Operating Officer at SandboxAQ.

More People On The Move

Expert Insights