A small but potent ransomware campaign has been carrying out attacks, and these cyberattacks, for the most part, have gone undetected mainly because of their size and new methods.

Mandiant stated that the campaign labelled UNC2190 or “Sabbath,” launched in September and started the attack in October, has targeted several organizations. The attackers threaten to release the stolen data if their demand isn’t accepted by the organizations.  Mandiant reports that the Sabbath group has extorted one U.S. school district. 

The blog reports, “As with other ransomoperations, Sabbath is believed to operate largely on the ransomware-as-a-service model where the operators hire individual “affiliate” hackers to do the on-the-ground work of actually infiltrating networks and installing the ransomware.”

What makes the Sabbath ransomware operation perilous is that the group has been able to go undetected and the evasion comes from the improved tools it has deployed for attacks. One of the tools used for attack is Cobalt Strike Beacon remote control tool.

We’ve seen some of the larger groups like DarkSide and Babuk rebrand when public and government pressure was too great,” McLellan explained. “In the case of the smaller groups like Sabbath, it could be rebranded over much more mundane reasons such as a payment dispute between group members and a rebranding is an attempt to start fresh minus the problem group members.”

As detection of ransomware intrusions improves at the early pre-ransomware stages, we expect the threat actors will continue to adapt to stay ahead of the detection curve and increase the pace to deploy ransomware faster after an initial intrusion,” McLellan said.