Going undetected has numerous advantages, particularly for cybercriminals who are constantly on the run from law enforcement agencies. A ransomware group has been targeting hospitals and schools, as well as other critical infrastructure, in an attempt to avoid discovery. Mandiant has released a new report documenting the activities of this ransomware group.
Sabbath, a rebranded ransomware group that used to go by the names Arcane and Eruption, has been targeting healthcare, education, and natural resources in Canada and the United States since June.
Wind of Sabbath was discovered by researchers in October after it held the data of a Texas school district for ransom. It issued its ransom demand on Reddit.
To pressure the school into paying the ransom, the gang used aggressive tactics, sending emails to staff, students, and parents.
The threat actors picked up the pace in November, adding six victims to its public extortion website in only couple of days.
Working Mechanism
Sabbath has managed to stay under the radar due to constant rebranding and less high value targets.
It employs a sophisticated extortion model in which ransomware is limited in scope, stolen data is utilised as leverage, and backups are destroyed.
The ransomware gang not only distributes the malware payload, but also offers a beacon for its affiliates to deliver the payload. This tactic can make it difficult to pin the attack on the group or its affiliates.
To avoid detection, Themida has been used to pack the beacon malware for Sabbath since July.
Conclusion
While the ransomware group has not yet established itself as a major player, experts believe it has the potential to influence the ransomware ecosystem. Other ransomware gangs could take up Sabbath’s practises, particularly the use of modified payloads, to avoid detection.
Cybercriminals have always targeted the education, healthcare, and critical infrastructure sectors, especially since the pandemic hysteria began. While ransomware detection has improved recently with the introduction of proactive, robust cyber defense solutions, researchers believe that threat actors will evolve to remain ahead of the curve and increase the rate at which ransomware is deployed.