Sabbath ransomware evades security detections via modification tactics

January 13, 2022
Sabbath Ransomware Security Evasion UNC2190 Cobalt Strike Beacon Ransomware as a Service

A new ransomware campaign dubbed ‘Sabbath’ or UNC2190 is reportedly being launched actively by threat actors and remained undetected due to its sophisticated attack tactics and size. As the operation began its attacks in October, the Sabbath ransomware group claimed to infect multiple organisations and also threatened to leak all stolen data if victims did not agree to pay ransom demands.

Upon analysis, Sabbath is observed to be operating through a ransomware-as-a-service model. With this model, threat actors hire other ‘affiliate’ hackers to work on the operation that involves infiltrating victims’ networks and injecting the ransomware.

 

Sabbath ransomware campaign is considered dangerous since they took extra steps to evade detection against security tools and authorities.

 

With some tools modification involving the Cobalt Strike Beacon remote control tool, Sabbath could sidestep several security checks and avoid exposure.

Another factor that the threat group leverage to evade detection is the extent of their operation compared to other ransomware campaigns. Experts have studied Sabbath’s roots linking to a past ransomware campaign called Arcane, both run by the UNC2190 group.

Because of Arcane’s small-scale ransomware campaign, the operation has not been immediately picked up within the cybercrime landscape. According to security analysts, it is unusual for relatively small threat groups and ransomware campaigns such as Arcane to rebrand, compared to larger ones such as DarkSide and Babuk.

For small-scale ransomware campaigns like Sabbath, rebranding might mean restarting their operations fresh without any mundane issues that may have taken place that caused the rebranding, including issues like payment disputes within members and more.

Nonetheless, despite being small-scale compared to DarkSide or Babuk, experts still see Sabbath influencing the ransomware landscape because of their attack techniques, including how they use different modified malware payloads that other ransomware groups may find helpful in staying undetected by the authorities.

Authorities have been enhancing their measures to detect ransomware campaigns as early as in the initial stages of an attack. Hence, ransomware threat actors also learn to adapt with authorities that combat them by staying ahead of their game and launching new techniques to deploy ransomware campaigns successfully.

About the author

Leave a Reply