Sabbath Ransomware !

A new ransomware group called Sabbath (aka UNC2190) has been targeting critical infrastructure in the United States and Canada. The group is a rebrand of Arcane and Eruption gangs, observed last year deploying the ROLLCOAST ransomware. The security experts noticed a post on the exploit.in hacking forum looking for affiliated for a new ransomware operation. The activity of the new group, named 54BB47h (Sabbath). It targets infrastructures in America and canada

Sabbath operators provided its affiliates with pre-configured Cobalt Strike BEACON backdoor payloads.

It’s been observed in two occasions where the ransomware operator provided its affiliates with pre-configured Cobalt Strike BEACON backdoor payloads. Use of BEACON is common practice in ransomware intrusions, but the use of a ransom affiliate program operator provided BEACON is unusual and offers both a challenge for attribution efforts while also offering additional avenues for detection.

The ROLLCOAST ransomware runs in memory and checks the system language to avoid infecting Russia and other Commonwealth of Independent States member countries. ROLLCOAST also shows similarities to Tycoon ransomware, such as the use of AES in GCM mode for encryption and an overlap between the ignored directories, files, and extensions including the ignored extension “.lolz”.

“UNC2190 is a lesser known and potentially a smaller ransomware affiliate group and has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering. This highlights how well-known tools, such as BEACON, can lead to impactful and lucrative incidents even when leveraged by lesser-known groups.

Indicators Of Compromise

MALWARE FAMILY	IOC SHA 256
BEACON	da92878c314307a5e5c9df687ec19a402d93126b3818e5fb6b7241ab375d1e12
BEACON	0fb410b9a4d32a473b2ee28d4dc5e19a64524e107b980fc1ce8de2ad0dcc3302
BEACON	298662f3fed24d757634a022c16f4124919b653f8bf7717e4f7a5b7d741729c0
BEACON	afd61168c1fae6841faa3860dca0e5839f1b7a3169184a1c04de5a9b88adfe5d
BEACON	a053408747e9b32721d25c00351c4ce9286208e8714780416f18cbe2536672a9
BEACON	b2ffd7d83e004308a97355a18529fe3528dcbbd7901fb28aaad9d46194469947
BEACON	e302a958856208adeab4ab3cd6d2991e644798fabd57bb187a0aede314a4baa0
BEACON	8ddb23c90cb4133b4624127a1db75335a51e90d557c01e996ce33fe23f638e71
BEACON	1bbb11e526141af7bafb5d4db3671b1a01bb277fda047920995c1f2a4cb6654c
BEACON	1cd586852d2c06b0f7209c7a4da8f3d0de794f92e97b7c4405ad71c859dc2f50
BEACON	79b47780382f54ca039ad248d8241e42a7ed6b1e4b75af836890e4e46c0f8737
BEACON	f4ac75a045acee2cadbe9fa0e02bfd4ab4124018e00193930966b8141351115f
BEACON	3edb237aeee6efad6f21f0f2c2037ec0f9f817197432de9759b0a772a4c8f311
BEACON	a4891cc85802833d9a89e2522a42a7e3c8dc6de1d2bbed5945497ee4006c8ddb
BEACON	756ed760cbf4b35054c78a75009f748f0f6cd5eb2cbd44bb3a2d964da3c419cf
BEACON	87cdcbc55aed4267f47a913b17f4bc697634bf633659c639f87a4dbf00f853c1
BEACON	a8741f6f400c7fedfbdc7a298ab4a636be42d379eb4ecc3cccd81eadca09f8d0
BEACON	5a6b7569c2b8e91f5bd8a67322af384cfad5ddaf3ea9de271093a0879b88c438
BEACON	f883f7d7c068b6f1eb62804591d748c28c584fbfb769628d9567c22aa00f26f6
ROLLCOAST ransom note	e25f2284fc6e80011587bf95829d8ff30ecae06a2d2bbe494d8af3bd05f9e43f