An unholy threat: ransomware gang dubbed ‘Sabbath’ targeting critical US infrastructure
Posted by: GuidePoint Security
Published 12/8/21, 9:00am
Industry researchers are warning organizations operating in education, healthcare, and natural resources in the United States and Canada of an emerging ransomware group calling themselves “Sabbath.” Researchers have observed the gang targeting these critical infrastructure areas since June 2021. Further announcements from the gang advertising the launch of a new ransomware affiliate program appeared this past October.
Researchers believe that the Sabbath gang (also known as “54BB47h”) may be the rebranded name of a group that has formerly gone by the names “Arcane” and “Eruption.” These repeated rebranding efforts have likely enabled the gang to fly under the radar and avoid excessive public scrutiny.
Techniques used by the group include publicly shaming victims on social media sites, multimillion-dollar ransom demands, attempts to destroy victim backup data, and the use of pre-configured Cobalt Strike BEACON backdoor payloads. The criminal gang is also known for stealing large amounts of data for extortion purposes. In addition, in the case of one victim school district, the gang emailed staff, parents, and students directly to put pressure on the district. In November 2021, the Sabbath ransomware group launched a public shaming blog, which lists current victims.
A previous ransomware malware used by Sabbath/Arcane has been dubbed ROLLCOAST. Notably, it targets English-speaking victims by excluding any victims whose system languages are set to more than 40 different languages, including Russian, Croatian, Slovakian, Belarusian, Thai, Hindi, Persian, and Vietnamese. Researchers have also noted similarities between ROLLCOAST and the Tycoon ransomware.
Next Steps
Organizations are reminded that ransomware attacks can be managed by patching bugs and updating systems and software, as well as through anti-phishing security solutions. Businesses are also urged to change passwords with regularity and use multifactor authentication. If organizations believe they have been victims of a ransomware attack, they are urged to work with a professional ransomware investigation and response team.