Ransomware, Threat Management

US, Canadian critical infrastructure targeted by novel Sabbath ransomware


Critical infrastructure in the U.S. and Canada are being attacked by the new Sabbath ransomware gang, also known as UNC1290, since June, SecurityWeek reports.

Mandiant researchers discovered that Sabbath, which once operated as Arcane and Eruption, leveraged social media sites to launch a cyberextortion attack against a U.S. school district in October.

Sabbath ransomware operators have also been found to offer affiliates with pre-configured Cobalt Strike payloads and while its rebranding efforts have involved not only modifications in name, logo, color schemes, and affiliate model, its Cobalt Strike beacon samples and infrastructure have not been changed.

""Although UNC2190 is a lesser known and potentially a smaller ransomware affiliate group, it’s smaller size and repeated rebranding has allowed it to avoid much public scrutiny. […] UNC2190 has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering,"" said the report.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.