Sabbath Ransomware !

Indicators Of Compromise

MALWARE FAMILY IOC SHA 256

BEACON da92878c314307a5e5c9df687ec19a402d93126b3818e5fb6b7241ab375d1e12

BEACON 0fb410b9a4d32a473b2ee28d4dc5e19a64524e107b980fc1ce8de2ad0dcc3302

BEACON 298662f3fed24d757634a022c16f4124919b653f8bf7717e4f7a5b7d741729c0

BEACON afd61168c1fae6841faa3860dca0e5839f1b7a3169184a1c04de5a9b88adfe5d

BEACON
a053408747e9b32721d25c00351c4ce9286208e8714780416f18cbe2536672a9
BEACON b2ffd7d83e004308a97355a18529fe3528dcbbd7901fb28aaad9d46194469947
BEACON e302a958856208adeab4ab3cd6d2991e644798fabd57bb187a0aede314a4baa0
BEACON 8ddb23c90cb4133b4624127a1db75335a51e90d557c01e996ce33fe23f638e71
BEACON 1bbb11e526141af7bafb5d4db3671b1a01bb277fda047920995c1f2a4cb6654c
BEACON 1cd586852d2c06b0f7209c7a4da8f3d0de794f92e97b7c4405ad71c859dc2f50
BEACON 79b47780382f54ca039ad248d8241e42a7ed6b1e4b75af836890e4e46c0f8737

BEACON f4ac75a045acee2cadbe9fa0e02bfd4ab4124018e00193930966b8141351115f

BEACON 3edb237aeee6efad6f21f0f2c2037ec0f9f817197432de9759b0a772a4c8f311

BEACON a4891cc85802833d9a89e2522a42a7e3c8dc6de1d2bbed5945497ee4006c8ddb

BEACON 756ed760cbf4b35054c78a75009f748f0f6cd5eb2cbd44bb3a2d964da3c419cf

BEACON 87cdcbc55aed4267f47a913b17f4bc697634bf633659c639f87a4dbf00f853c1

BEACON a8741f6f400c7fedfbdc7a298ab4a636be42d379eb4ecc3cccd81eadca09f8d0

BEACON 5a6b7569c2b8e91f5bd8a67322af384cfad5ddaf3ea9de271093a0879b88c438

BEACON f883f7d7c068b6f1eb62804591d748c28c584fbfb769628d9567c22aa00f26f6

ROLLCOAST ransom note

e25f2284fc6e80011587bf95829d8ff30ecae06a2d2bbe494d8af3bd05f9e43f

TheCyberThrone

Ransomware Susceptibility - Black Kite

A new ransomware group called Sabbath (aka UNC2190) has been targeting critical infrastructure in the United States and Canada. The group is a rebrand of Arcane and Eruption gangs, observed last year deploying the ROLLCOAST ransomware. The security experts noticed a post on the exploit.in hacking forum looking for affiliated for a new ransomware operation. The activity of the new group, named 54BB47h (Sabbath). It targets infrastructures in America and canada

Sabbath operators provided its affiliates with pre-configured Cobalt Strike BEACON backdoor payloads.

It’s been observed in two occasions where the ransomware operator provided its affiliates with pre-configured Cobalt Strike BEACON backdoor payloads. Use of BEACON is common practice in ransomware intrusions, but the use of a ransom affiliate program operator provided BEACON is unusual and offers both a challenge for attribution efforts while also offering additional avenues for detection.

The ROLLCOAST ransomware runs in memory and checks the system…

View original post 162 more words

3 thoughts on “Sabbath Ransomware !

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.