Just before 2021 ended, cyber security professionals stated that although organizations faced their fair share of ransomware attacks, those attacks would become more targeted and would continue well into 2022. They further predicted that ransomware operators would begin to use more sophisticated methods of extortion that would resemble nation-state advanced persistent threat attacks (APT), skipping data encryption and going straight to data exfiltration and extortion.
In December 2021, ransomware gang Sabbath left their mark when they publicly shamed a U.S. school on a dark web site because the school refused to pay their demanded ransom. The gang has flown under the radar for over a year for various reasons, but they recently made headlines because of their unique attack method. Instead of encrypting data and hoping for a big pay day, Sabbath simply steals data and extorts – a technique that is quite aggressive, yet lucrative.
As organizations attempt to stay two steps ahead of threats, cyber-criminal gangs, like Sabbath, are changing their tool kits and attack techniques to reflect those attempts. Sabbath has made it a point to target critical infrastructure with their attacks with no clear signs of slowing down. Let’s take a look at Sabbath and why they’ve gone generally unnoticed for well over a year.
In order to understand who Sabbath is, we will need to breakdown how many name changes the group has undergone. Sabbath is a mid-sized ransomware gang that targets critical infrastructure like education and healthcare. They were originally known as UC2190, and first appeared in July 2020 under the branding name, Eruption. During that time, cyber security analysts at Mandiant observed Eruption deploying ROLLCOAST ransomware, but they did not see samples of ROLLCOAST submitted to VirusTotal. The names of the businesses Eruption targeted were never disclosed, nor were the ransom payments.
Eruption appeared to fall off the grid and all was quiet until June 2021. During that month, Eruption came back under a different name – Arcane. It was during this time that analysts observed the group targeting the education, health, and natural resources sectors in the U.S. and Canada. This was also the time that the group launched their public shaming website on the dark web in an attempt to further extort victims. Researchers observed the group extorting three victims via their public shaming website in June 2021 – their names were not disclosed.
Arcane has been in operation since 2020 and has victimized 12 organizations in North America, Seven in the United States, and at least two in Canada since that time. According to Tyler McLellan, Mandiant’s principal analyst, Sabbath aka UNC2190 blurs the line between operator and affiliate and operates more along the lines of a temporary group.
“The operator appears to control how and where the ransomware is deployed, and the affiliate is providing the initial access and in exchange receives a cut of any ransom payment.” said McLellan.
Again, during this time, there were no specific reports regarding who the group attacked and how much the group was paid in ransom money. The group went dark for a while, but it wasn’t long before they re-emerged.
At this point, Arcane was still not on the public’s radar, but they were certainly on the radar of cyber security professionals. In September 2021, Mandiant discovered the threat actors posting on the hacker forum, exploit[.in], seeking partners for their new affiliate ransomware program, but this time they were operating under the name Sabbath/54BB47h. The posts were written in Russian. Arcane was actively seeking people who had access to commercial networks. Sabbath offered to pay a percentage of the ransom received to people who could exfiltrate stolen data, delete backups, and carry out certain portions of their ransomware operations.
Fortunately, Mandiant dismantled that operation and started connecting the dots between all three groups. Between September and October of 2021, Mandiant discovered a public shaming website called “Sabbath” that was publicly shaming a Texas based school because the school refused the pay the ransom after Sabbath deployed ransomware into the school’s network and systems. Sabbath even went as far as emailing students, teachers, and parents directly to apply further pressure on the school. Mandiant noticed that the group’s new public shaming website looked almost identical to the site that Arcane published in June 2021. Both sites had the same text, content, and grammatical errors – with only minor changes to logo and color scheme.
Image 1: Sabbath Public Shaming Site
Source: Mandiant.com
Image 2: Arcane's Public Shaming Site
Source: Mandiant.com
Sabbath also targeted a wine manufacturer in Belgium; however, the amount of the ransom and ransom payment is unknown. Mandiant has also seen Sabbath’s ransomware in India, Sweden, Germany, Mexico, and Japan – implying that Sabbath’s activity may be global. Sabbath has utilized public data leaks to extort their victims to pay ransom demands.
As we mentioned earlier, Sabbath was observed (by Mandiant) deploying ROLLCOAST ransomware in July 2020. Mandiant also noticed that the ransomware is a Dynamic Linked Library (DLL) with no named exports. ROLLCOAST also encrypts files on logical drives attached to a system – with only one ordinal export 0x01 to avoid detection. According to Mandiant, Sabbath could have designed the sample this way to avoid detection and be invoked within memory, through Cobalt Strike BEACON provided to affiliates.
If a system language matches any of the language codes found below, ROLLCOAST will exit the system. Their malware begins by checking the system first to detect non-supported language code. Other ransomware families have adopted this style to avoid encrypting systems that could attract the attention of law enforcement in countries where the ransomware operator and affiliates are more likely to reside.
Image 3: Language Exclusions
Source: Mandiant.com
The way analysts concluded that the three groups were one in same was through Mandiant finding similarities in their techniques. By analyzing Sabbath’s infrastructure, Mandiant was able to see the link between Eruption, Arcane and Sabbath.
Unlike other ransomware affiliate programs, Sabbath provides their affiliates with pre-configured Cobalt Strike BEACON backdoor payloads. Sabbath has been operating for over a year and has only made minor changes to their strategies and tool kit. They recently introduced a commercial packer and rebranded their service offering. This is a good example of how well-known tools like Cobalt Strike BEACON can lead to lucrative and impactful attacks even if leveraged by smaller and unknown groups.
The use of Cobalt Strike BEACON to deploy ransomware is not unusual for ransomware gangs. What is unusual is a ransom affiliate program operator providing Cobalt Strike BEACON. This presents a challenge for attribution efforts while also offers additional avenues for detection. After bulk data is stolen as leverage, Sabbath then attempts to destroy backups.
The constant name changes may be a technique Sabbath uses to continue their ransomware campaigns and to put up a front to obfuscate who is carrying out their operations. It minimizes attention to their campaigns and gives them leverage over generating more revenue.
These kinds of ransomware attacks will appear frequently over the course of 2022. Ransomware operators are focusing on servers, as well as cloud providers – making sure to weaponize the data they exfiltrate. Trying to stop the attacks from happening (or mitigate) can be a challenge for organizations that won’t invest in securing their servers as much as they invest in securing their end points.
Sabbath has been able to keep their operations going while changing very few things about the way they attack. The fact that they don’t have to change much says more about the level of cyber security within organizations than it does about Sabbath. It’s important for organizations to go back to security basics and continue to be vigilant with protecting servers.
Prioritizing network visibility is important. Avertium recommends:
BEACON
Malware - any intrusive, unwanted software that is designed to compromise, damage, or destroy your computer, device, network, or the data contained within (example: viruses, trojans, adware, etc.).
Ransomware - malicious software that infects a device and stops users from accessing data and files until a ransom is paid.
Sabbath ransomware group rebrands, continues attacks (itbrief.com.au)
Sabbath Ransomware Targeting Healthcare, Mandiant Warns (healthitsecurity.com)
Hack 'Sabbath': Elusive new ransomware detected (techtarget.com)
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again | Mandiant
Ransomware Group Continually Rebrands to Slip Under Radar | Decipher (duo.com)
This document and its contents do not constitute and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of the Client's compliance with any law, regulation, or standard.