Hack ‘Sabbath’: Elusive new ransomware detected

A small but effective ransomware operation has been conducting attacks largely undetected, thanks to its size and novel techniques.

Mandiant reported Monday that the operation, designated UNC2190 or “Sabbath,” was launched in September and began attacks in October. Since then, the group has claimed to have infected a number of organizations and has threatened to release the pilfered data should the ransom demand go unheeded. According to a blog post by Mandiant, the Sabbath ransomware group has attacked and extorted at least one U.S. school district.

As with other ransomware operations, Sabbath is believed to operate largely on the ransomware as a service model where the operators hire individual “affiliate” hackers to do the on-the-ground work of actually infiltrating networks and installing the ransomware.

Part of the danger posed by the Sabbath ransomware operation is that the group has been able to evade detection due to several factors. First, the group has modified its tools, including the Cobalt Strike Beacon remote control tool, in order to avoid detection.

Also helping keep the attacks off the radar was the size of the operation relative to other ransomware brands. Mandiant believes that Sabbath has its roots in a previous ransomware campaign called Arcane. Both are thought to be run by the same UNC2190 group. But unlike larger, more well-known ransomware crews, UNC2190’s move to pivot from Arcane to Sabbath was not immediately picked up.

Tyler McLellan, a principal analyst at Mandiant and co-author of the blog post, told SearchSecurity that while it’s not unusual for large ransomware groups to rebrand their operations, a small, relatively unknown crew like Arcane doesn’t usually change its brand.

“We’ve seen some of the larger groups like DarkSide and Babuk rebrand when public and government pressure was too great,” McLellan explained. “In the case of the smaller groups like Sabbath, it could be rebranded over much more mundane reasons such as a payment dispute between group members and a rebranding is an attempt to start fresh minus the problem group members.”

Even if it is not as big as the likes of DarkSide or Babuk, Sabbath could still have some influence over the ransomware scene. McLellan said that some of Sabbath’s techniques, particularly their use of various modified malware payloads, could be used by other ransomware crews looking to stay off the radar of security vendors and law enforcement.

“As detection of ransomware intrusions improves at the early pre-ransomware stages, we expect the threat actors will continue to adapt, to stay ahead of the detection curve, and increase pace to deploy ransomware faster after an initial intrusion,” McLellan said.