Ransomware Group Rebrands Multiple Times to Evade Detection

Ransomware Group Rebrands Multiple Times to Evade Detection

A mid-sized ransomware group known for targeting healthcare and education sector organizations has repeatedly rebranded over the past year to avoid scrutiny, according to Mandiant.

The “54BB47h” (Sabbath) group first appeared on the radar in September when it advertised for affiliate partners, the threat intelligence firm said.

Unusually for a ransomware group, it provides these affiliates with their own pre-configured Cobalt Strike Beacon backdoor payloads. While this posed a challenge for Mandiant’s attribution efforts, it also offered a starting point for its investigation.

“Mandiant Advanced Practices began proactively identifying similar Beacon infrastructure across past Mandiant Consulting engagements, Advanced Practices external adversary discovery programs, and commercially available malware repositories,” it explained.

“Through this analysis, Advanced Practices linked the new Sabbath group to ransom activity under previously used names including Arcane and Eruption.”

Further investigation revealed that the Sabbath public disclosure/extortion blog was virtually identical to one associated with Arcane, right down to the same grammatical errors. Affiliate Beacon samples and infrastructure also remained unchanged after the rebrand.

Sabbath, Arcane and Eruption were traced to threat group UNC2190, which “uses a multifaceted extortion model where ransomware deployment may be quite limited in scope, bulk data is

Read More: https://www.infosecurity-magazine.com/news/ransomware-rebrands-multiple-times/