IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Sabbath hackers are targeting US schools and hospitals

The rebranded hacking group is demanding multi-million-dollar ransom payments, according to Mandiant

Security researchers have warned that a group of hackers have rebranded themselves to avoid scrutiny while mounting ransomware attacks against schools, hospitals, and other critical infrastructure organizations in the US and Canada. 

The gang, now known as Sabbath, first became known in October 2021 when the group publicly shamed and extorted a US school district on Reddit and from the now-suspended Twitter account @54BB47h.

According to a blog post, security researchers at Mandiant said that in this extortion attempt, hackers demanded a multi-million-dollar ransom payments after deploying ransomware. Media reports indicated that the group took the unusually aggressive step of emailing staff, parents and even students directly to further apply public pressure on the school district.

Mandiant said the hackers used public data leaks to extort the victims to pay ransom demands as well as a public shaming blog. They added that the new Sabbath public shaming web portal and blog first published in October 2021 is identical to that of Arcane from June 2021. 

“This included the same text content, and minor changes to the name, color scheme, and logo. The threat actor kept consistent grammatical errors in their updated web forums,” researchers said.

There were also a few technical changes made to the affiliate model used to carry out the attacks between the rebranding from Arcane to Sabbath. Infrastructure from both ransomware affiliate services remained unchanged.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

Researchers said that the hackers have targeted critical infrastructure including education, health, and natural resources in the US and Canada since June 2021.

“The targeting of critical infrastructure by ransomware groups has become increasingly concerning as evidenced by governments moving to target ransomware actors as national security level threats with particular attention to groups that target and disrupt critical infrastructure,” Mandiant said.

While Sabbath is a lesser-known and potentially a smaller ransomware affiliate group, its smaller size and repeated rebranding have allowed it to avoid much public scrutiny. Researchers said that ransomware data theft operations affecting healthcare have increased from January 2020 to June 2021, despite some groups claiming they would avoid targeting hospitals. 

Researchers observed two occasions where the ransomware operator provided its affiliates with pre-configured Cobalt Strike BEACON backdoor payloads.

“While the use of BEACON is common practice in ransomware intrusions, the use of a ransom affiliate program operator provided BEACON is unusual and offers both a challenge for attribution efforts while also offering additional avenues for detection,” they added.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021
US and Israel join forces to fight ransomware
ransomware

US and Israel join forces to fight ransomware

15 Nov 2021
Almost 70% of CISOs expect a ransomware attack
ransomware

Almost 70% of CISOs expect a ransomware attack

19 Oct 2021

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Costa Rica declares state of emergency following Conti ransomware attack
ransomware

Costa Rica declares state of emergency following Conti ransomware attack

10 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022