A new ransomware group called Sabbath (aka UNC2190) has been targeting critical infrastructure in the United States and Canada since June 2021. According to Mandiant researchers, the group is a rebrand of Arcane and Eruption gangs.
According to a warning from Mandiant, the group previously operated under the names of Arcane and Eruption and was observed last year deploying the ROLLCOAST ransomware. In September 2021, the security experts noticed a post on the exploit.in hacking forum looking for affiliated for a new ransomware operation. The activity of the new group, named 54BB47h (Sabbath), began on October 21, 2021, when the operators set up a shaming site and blog.
In October the ransomware gang infected systems at a school district in the United States and demanded a multi-million ransom.
Unlike other ransomware operations, Sabbath operators provided its affiliates with pre-configured Cobalt Strike BEACON backdoor payloads.
“In contrast with most other affiliate programs, Mandiant observed two occasions where the ransomware operator provided its affiliates with pre-configured Cobalt Strike BEACON backdoor payloads. While the use of BEACON is common practice in ransomware intrusions, the use of a ransom affiliate program operator provided BEACON is unusual and offers both a challenge for attribution efforts while also offering additional avenues for detection.” reads the post published by Mandiant.
The Sabbath ransomware gang has targeted critical infrastructure, including education, health, and natural resources in the United States and Canada.
In July 2020, the UNC2190 threat actors deployed ROLLCOAST ransomware while they were branded as Eruption. Mandiant researchers found no evidence for the use of the same ransomware in 2021.
The ROLLCOAST ransomware runs in memory and checks the system language to avoid infecting Russia and other Commonwealth of Independent States member countries.
ROLLCOAST also shows similarities to Tycoon ransomware, such as the use of AES in GCM mode for encryption and an overlap between the ignored directories, files, and extensions including the ignored extension “.lolz”.
In 2021, BEACON samples and infrastructure from both Sabbath and Arcane ransomware affiliate services have not changed. Mandiant discovered that the ransomware operators are using the Themida packer to pack UNC2190 BEACON malware and avoid detection.
“Although UNC2190 is a lesser known and potentially a smaller ransomware affiliate group, it’s smaller size and repeated rebranding has allowed it to avoid much public scrutiny.” concludes the report. “UNC2190 has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering. This highlights how well-known tools, such as BEACON, can lead to impactful and lucrative incidents even when leveraged by lesser-known groups.”
(SecurityAffairs – hacking, Sabbath ransomware)