The Sabbath ransomware affiliate group is continuing to rebrand itself while still launching relentless ransomware operations, according to new research from Mandiant.
Mandiant data shows how UNC2190, otherwise known as Sabbath/54BB47h and previously known as Arcane, continues to rebrand itself to avoid scrutiny while simultaneously launching ransomware operations against schools, hospitals, and other critical infrastructure organisations across the United States and Canada.
The research shows the group targeted a wine manufacturer in Belgium, and the team saw its malware samples being detected in India, Sweden, Germany, Mexico, and Japan, signalling that Sabbath's activity is likely global.
"The targeting of critical infrastructure by ransomware groups has become increasingly concerning, as evidenced by governments moving to target ransomware actors as national security level threats, with particular attention to groups that target and disrupt critical infrastructure," Mandiant says.
Mandiant's researchers uncovered Sabbath members seeking partners on the dark web to try and create a new ransomware affiliate program, which Mandiant helped dismantle before succeeding.
Sabbath first came to light in October 2021 when the group held a United States' school's data for ransom and publicly shamed the school district via Reddit, demanding a multi-million-dollar payment.
During this recent extortion, the threat actor demanded a multi-million-dollar payment after deploying ransomware. Media reporting indicated that the group took the unusually aggressive step of emailing staff, parents and even students directly to further apply public pressure on the school district.
According to Tyler McLellan, principal analyst at Mandiant, the group is unfortunately not slowing down.
"They picked up their pace right into November 2021, when its public shaming portal mysteriously went offline," he says.
In contrast with most other affiliate programs, Mandiant observed two occasions where the ransomware operator provided its affiliates with pre-configured Cobalt Strike BEACON backdoor payloads. Mandiant says while the use of BEACON is common practice in ransomware intrusions, the use of a ransom affiliate program operator provided BEACON is unusual and offers both a challenge for attribution efforts while also offering additional avenues for detection.
The threat actor has utilised public data leaks to extort the victims to pay ransom demands. While Sabbath operates a public shaming blog, Mandiant only observed victims being publicly extorted beginning in mid-November 2021, where six victims were added over two days. Previously under the Arcane brand, Mandiant observed three victims publicly extorted in June 2021.
"Although UNC2190 is a lesser-known and potentially a smaller ransomware affiliate group, its smaller size and repeated rebranding has allowed it to avoid much public scrutiny," Mandiant says.
"UNC2190 has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering. This highlights how well-known tools, such as BEACON, can lead to impactful and lucrative incidents even when leveraged by lesser-known groups."