Due to its tiny size and unique approaches, a small yet efficient ransomware group has been executing operations relatively undiscovered. The operation, codenamed UNC2190 or “Sabbath,” started in September and began attacks in October. Since then, the gang has infected many businesses and threatened to reveal the stolen information if the ransom demand is not met. According to a Mandiant blog post, the Sabbath ransomware gang has targeted and extorted at least one school system in the United States.
Sabbath is thought to function mainly on the ransomware as a service model, in which the operators employ individual “affiliate” hackers to undertake the on-the-ground labor of actually penetrating networks and installing the ransomware, similar to other ransomware operations. The Sabbath ransomware operation is a threat partly because it has managed to avoid discovery due to many variables. To prevent discovery, the gang has updated its tools, including the Cobalt Strike Beacon remote control tool.
The operation’s scale in comparison to other ransomware brands also helped keep the operations under the radar. Sabbath, according to Mandiant, has its origins in a prior ransomware attack known as Arcane. The UNC2190 group is assumed to be in charge of both. UNC2190’s switch from Arcane to Sabbath was not immediately noticed, unlike that of other, more well-known ransomware groups.
While it’s common for significant ransomware gangs to rename their operations, Tyler McLellan, a Mandiant lead analyst and co-author of the blog post, stated that a tiny, relatively unknown outfit like Arcane doesn’t usually do so.
Sabbath may have some impact on the ransomware industry, even if it isn’t significant. According to McLellan, some of Sabbath’s approaches, including their use of multiple customized malware payloads, might be exploited by other ransomware groups aiming to avoid detection by security companies and law authorities.