Going under the radar has a lot of benefits; especially for cybercriminals who are always on the run from law enforcement. A ransomware group, keen on evading detection, has been attacking hospitals and schools, as well as other critical infrastructure. A new report, detailing the activities of this group, has been released by Mandiant.

What’s going on?

A ransomware group—formerly known as Arcane and Eruption—has rebranded to Sabbath, and has been attacking healthcare, education, and natural resources in Canada and the U.S., since June. 
  • Researchers caught wind of Sabbath in October when it held the data of a Texas school district for ransom. Its ransom demand was made over Reddit. 
  • The gang took the aggressive road by emailing staff, students, and parents to coerce the school into paying the ransom.
  • In November, the actors picked up the pace and added six victims to its public extortion website, just within a couple of days.  

What’s unique?

  • Sabbath has been able to fly under the radar because of its continuous rebranding and less prominent targets. 
  • It uses a complex extortion model wherein ransomware deployment may be limited in scope, stolen data is used as leverage, and backups are destroyed. 
  • The ransomware gang doesn’t only provide the malware payload, it provides its affiliates with a beacon to deliver the payload. This tactic can make it challenging to attribute the attack to the group or affiliates. 
  • Since July, Themida has been used to pack the beacon malware for Sabbath to evade detection. 

Why does this matter?

While the ransomware group has not become a top player in the threat landscape, experts believe that it is capable of influencing the ransomware ecosystem. Sabbath’s techniques, especially the use of modified payloads, can be picked up by other ransomware gangs looking to steer clear of detection. 

So, what’s the takeaway?

The education, healthcare, and critical infrastructure sectors have always been top targets for cybercriminals, especially since the pandemic pandemonium commenced. While the detection of ransomware has improved lately with the advent of proactive, robust cyber defense solutions, researchers surmise that threat actors will evolve to stay ahead of the curve and increase ransomware deployment pace. 

Cyware Publisher

Publisher

Cyware