A new ransomware gang that calls itself “54BB47h” has been attacking critical infrastructure organizations in Canada and the U.S. since June, according to a new report from Mandiant.
However, it adds, threat researchers shouldn’t be fooled: It’s actually a group that dates back to 2020 which has operated under the names Eruption and Arcane. Mandiant designates it UNC2190 (the company classifies threat groups into several categories: UNC is short for unclassified; FIN groups are those whose motive is stealing financial information; APT groups are advanced persistent threat actors).
Mandiant believes it has victimized at least 12 organizations in North America: Seven in the United States, and at least two in Canada. Two more are suspected but not yet confirmed.
“UNC2190 blurs the line between operator and affiliate and operates more along the line of a loose temporary group,” Tyler McLellan, Mandiant’s principal analyst, said in an email. “The operator appears to control how and where the ransomware is deployed and the affiliate is providing the initial access and in exchange receives a cut of any ransom payment.”
The name changes “could be a technique used to continue their campaigns, while also putting up a front to misdirect or mislead who is carrying out their operations. This may help UNC2190 minimize the attention to their campaigns, while also having the larger payment success for their extortion attempts to a group with unknown intentions. It is unclear at this time as to why exactly this rebranding is done.”
For convenience, and because it looks similar, Mandiant dubs “54BB47h” as Sabbath.
The gang began in July 2020 using the name Eruption. In June of this year the name Arcane was used on a new public shaming web portal and blog, while Sabbath emerged in September when Mandiant found a post on a dark website seeking partners for a new ransomware affiliate program. Mandiant says similarities in techniques lead to to conclude all three are run by the same gang.
The Sabbath ransomware shaming site and blog were created by Oct. 21st and was quickly noticed by security researchers, Mandiant said. Sabbath publicly shamed and extorted a U.S. school district on Reddit and from a now-suspended Twitter account, demanding a multi-million-dollar payment after deploying ransomware. When the school district refused to pay the gang emailed parents and students to increase the pressure.
Unlike most affiliate programs, Sabbath has twice provided its affiliates with pre-configured Cobalt Strike beacon backdoor payloads. “While the use of beacon is common practice in ransomware intrusions, the use of a ransom affiliate program operator providing beacon is unusual and offers both a challenge for attribution efforts while also offering additional avenues for detection,” says the report.
It was through analyzing Sabbath’s infrastructure that Mandiant was able to see the link to Eruption and Arcane.
The history goes back to July 2020, according to Mandiant, when UNC2190 deployed a strain of ransomware researchers call Rollcoast. At that time the gang called itself Eruption. The malware is apparently highly stealthy. Mandiant hasn’t seen samples of UNC2190-deployed ransomware this year. In fact no samples of Rollcoast have ever been submitted to the VirusTotal site by defenders.
Rollcoast encrypts files on logical drives attached to a system. It’s a dynamic linked library (DLL) with no named exports. It uniquely had only one ordinal export 0x01. “This suggested the sample was designed to avoid detection and be invoked within memory, ” says the report, “possibly through beacons provided to affiliates. Incident responders working on similar intrusions should capture memory for analysis. Rollcoast was not written to disk during this intrusion and was only detected in memory by Mandiant.”
“Although UNC2190 is a lesser-known and potentially a smaller ransomware affiliate group, its smaller size and repeated rebranding has allowed it to avoid much public scrutiny,” says the report. “UNC2190 has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering.” This highlights how well-known tools, such as the Cobalt Strike beacon, can lead to impactful and lucrative incidents even when leveraged by lesser-known groups, the report adds.