Critical infrastructure in the U.S. and Canada are being attacked by the new Sabbath ransomware gang, also known as UNC1290, since June, SecurityWeek reports.

Mandiant researchers discovered that Sabbath, which once operated as Arcane and Eruption, leveraged social media sites to launch a cyberextortion attack against a U.S. school district in October.

Sabbath ransomware operators have also been found to offer affiliates with pre-configured Cobalt Strike payloads and while its rebranding efforts have involved not only modifications in name, logo, color schemes, and affiliate model, its Cobalt Strike beacon samples and infrastructure have not been changed.

""Although UNC2190 is a lesser known and potentially a smaller ransomware affiliate group, it’s smaller size and repeated rebranding has allowed it to avoid much public scrutiny. […] UNC2190 has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering,"" said the report.