Ransomware Group Rebrands Multiple Times to Evade Detection

A mid-sized ransomware group known for targeting healthcare and education sector organizations has repeatedly rebranded over the past year to avoid scrutiny, according to Mandiant.

The “54BB47h” (Sabbath) group first appeared on the radar in September when it advertised for affiliate partners, the threat intelligence firm said.

Unusually for a ransomware group, it provides these affiliates with their own pre-configured Cobalt Strike Beacon backdoor payloads. While this posed a challenge for Mandiant’s attribution efforts, it also offered a starting point for its investigation.

“Mandiant Advanced Practices began proactively identifying similar Beacon infrastructure across past Mandiant Consulting engagements, Advanced Practices external adversary discovery programs, and commercially available malware repositories,” it explained.

“Through this analysis, Advanced Practices linked the new Sabbath group to ransom activity under previously used names including Arcane and Eruption.”

Further investigation revealed that the Sabbath public disclosure/extortion blog was virtually identical to one associated with Arcane, right down to the same grammatical errors. Affiliate Beacon samples and infrastructure also remained unchanged after the rebrand.

Sabbath, Arcane and Eruption were traced to threat group UNC2190, which “uses a multifaceted extortion model where ransomware deployment may be quite limited in scope, bulk data is stolen as leverage, and the threat actor actively attempts to destroy backups.”

The group has in the past even emailed staff, students and parents of a US school district it targeted in order to force a payment.

Interestingly, among the system languages the code checks for to avoid infecting victims from certain countries are not only former Soviet states but also Swedish, Thai, Turkish, Urdu, Indonesian, Vietnamese and Yiddish.

It seems to indicate the ransomware operators are going to extreme lengths to avoid unwanted police attention.

“UNC2190 has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering,” Mandiant concluded.

“This highlights how well-known tools, such as Beacon, can lead to impactful and lucrative incidents even when leveraged by lesser-known groups.”

What’s Hot on Infosecurity Magazine?