An under-the-radar ransomware group that’s been attacking schools, hospitals and other critical infrastructure has tried to cover its tracks by rebranding, according to findings from researchers at Mandiant.
Sabbath, a rebrand of the ransomware group Arcane, “is unfortunately not slowing down” in its attacks, Tyler McLellan, principal analyst at Mandiant, said in a statement. “They picked up their pace right into November 2021, when its public shaming portal mysteriously went offline.”
Researchers first caught onto Sabbath in October, when it held the data of a Texas school district for school for ransom. Interestingly, the group turned to social media platform Reddit to make its ransom demand. Ransomware gangs often host their own websites where they shame victims and threaten to leak data.
Sabbath eventually launched its own victim site, which researchers found nearly identical to that of a formerly active group that went by the name Arcane. The two groups also shared infrastructure, according to a Mandiant blog post Monday.
In mid-November alone, the group added six victims to its public extortion website in the span of two days. It has been able to largely fly under the radar thanks to its constant rebranding and less-prominent victims, Mandiant researchers say.
Sabbath relies on the unusual technique of providing not just the malware payload, but also a beacon to deliver it, for its ransomware affiliates — that is, cybercriminals who pay to use a ransomware group’s infrastructure. While such a tactic can make it harder to pin down if the attack is coming from an affiliate or the group itself, it also makes it easier for researchers to detect potential threats by tracking down beacons with the same configuration.
Mandiant reported some of the group’s infrastructure to Sabbath’s cloud hosting provider, resulting in several domains they were using for command and control of the software being shut down, McLellan said.
The report highlights that while major ransomware groups have laid low in recent weeks, avoiding targets that might invoke the ire of the U.S. government, there’s been no shortage of attacks against small yet extremely important public institutions.
Based on public reports, there have been at least 12 ransomware attacks impacting 41 schools, Recorded Future’s Allan Liska noted on Twitter. That includes an attack forcing a Pennsylvania community college to shut down Monday. Cybercriminals also continue to aggressively target hospitals and healthcare facilities.