Sabbath Ransomware Targeting Healthcare, Mandiant Warns

Mandiant researchers warned of the Sabbath ransomware affiliate program, a ransomware operator that has been targeting critical infrastructure, education, and healthcare. Researchers found that the group is likely tied to ransomware activity under the names Arcane and Eruption.

Threat actors posted on exploit.in in September 2021 seeking partners for a new affiliate ransomware program, Mandiant discovered. In June 2021, UNC2190, operating as Arcane and Sabbath, targeted critical infrastructure in the US and Canada. Sabbath, sometimes known as 54BB47h, created a shaming site and blog by October 21, 2021.

“In contrast with most other affiliate programs, Mandiant observed two occasions where the ransomware operator provided its affiliates with pre-configured Cobalt Strike BEACON backdoor payloads,” Mandiant’s report explained.

“While the use of BEACON is common practice in ransomware intrusions, the use of a ransom affiliate program operator provided BEACON is unusual and offers both a challenge for attribution efforts while also offering additional avenues for detection.”

Many threat actors shy away from targeting critical infrastructure because it brings a lot of public and government attention to their work. However, ransomware groups are increasingly targeting healthcare, education, and other critical entities, even though international governments have devoted their attention and resources toward stopping them.

“Sabbath first came to light in October 2021 when the group publicly shamed and extorted a US school district on Reddit and from a now suspended Twitter account, @54BB47h,” the report stated.

“During this recent extortion, the threat actor demanded a multi-million-dollar payment after deploying ransomware. Media reporting indicated that the group took the unusually aggressive step of emailing staff, parents and even students directly to further apply public pressure on the school district.”

Sabbath has proved to be no exception to the increasingly bold actions committed by major ransomware groups. Healthcare entities should remain vigilant and watch for suspicious network activity.

“UNC2190 has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering,” the report continued.

“This highlights how well-known tools, such as BEACON, can lead to impactful and lucrative incidents even when leveraged by lesser-known groups.”

In October, Mandiant released a report outlining the origins and practices of FIN12, a ransomware variant that specializes in healthcare cyberattacks. Almost 20 percent of FIN12 ransomware group’s victims were in the healthcare sector, researchers found.

The Health Sector Cybersecurity Coordination Center (HC3) released a threat brief in December outlining risks and mitigation tactics against FIN12.

According to Jeremy Kennelly, senior manager and principal analyst at Mandiant, FIN12 is dangerous for three reasons: they operate with extreme speed, they are unpredictable, and they continue to target healthcare even in the face of backlash.

“FIN12, over the course of their operations, has always targeted healthcare organizations. We have seen no change proportionally, even in the face of a pandemic or in the face of broad public backlash over ransomware operations,” Kennelly explained to HealthITSecurity in a previous interview.

“The mere fact of systems being unavailable causes huge disruption to these organizations. And thus, there is probably a perception amongst these actors that despite the bad look of targeting a healthcare organization, a healthcare organization is going to have a stronger argument to potentially pay a ransom in order to get their system online.”