Due to its small size and unique approaches, a small yet strong ransomware group has been executing attacks largely undiscovered.
According to Mandiant, the operation, named UNC2190 or "Sabbath," began in September and started attacks in October. Since then, the gang claims to have infected several firms and has threatened to reveal the stolen data if their ransom demand is not met.
As per a Mandiant blog post, the Sabbath ransomware group has attacked and extorted at least one school system in the United States.
Sabbath, like other ransomware operations, is thought to depend heavily on the ransomware-as-a-service model, in which the operators engage individual "affiliate" hackers to execute the on-the-ground labour of infiltrating networks and installing the ransomware.
One of the risks posed by the Sabbath ransomware operation is that the group has managed to avoid detection owing to a number of variables. To begin, the organisation has altered its tools, including the including the Cobalt Strike Beacon remote control tool, to avoid detection.
The scale of the operation in comparison to other ransomware brands also helped keep the operations under the radar.
Sabbath, according to Mandiant, has its origins in a prior ransomware attack known as Arcane. Both are believed to be managed by the same UNC2190 group. However, unlike larger, more well-known ransomware groups, UNC2190's transition from Arcane to Sabbath was not quickly noticed.
While it's not uncommon for huge ransomware gangs to rebrand their activities, Tyler McLellan, a principal analyst at Mandiant and co-author of the blog post, told SearchSecurity that a tiny, relatively unknown team like Arcane doesn't generally alter its brand.
McLellan explained, "We've seen some of the larger groups like DarkSide and Babuk rebrand when public and government pressure was too great. In the case of the smaller groups like Sabbath, it could be rebranded over much more mundane reasons such as a payment dispute between group members and a rebranding is an attempt to start fresh minus the problem group members."
Sabbath may have some influence over the ransomware scene, even if it is not as large as DarkSide or Babuk. As per McLellan, some of Sabbath's approaches, notably their use of several customised malware payloads, might be exploited by other ransomware crews attempting to avoid detection by security providers and law authorities.
"As detection of ransomware intrusions improves at the early pre-ransomware stages, we expect the threat actors will continue to adapt to stay ahead of the detection curve and increase the pace to deploy ransomware faster after an initial intrusion," McLellan added.