Sabbath hackers are targeting US schools and hospitals
The rebranded hacking group is demanding multi-million-dollar ransom payments, according to Mandiant


Security researchers have warned that a group of hackers have rebranded themselves to avoid scrutiny while mounting ransomware attacks against schools, hospitals, and other critical infrastructure organizations in the US and Canada.
The gang, now known as Sabbath, first became known in October 2021 when the group publicly shamed and extorted a US school district on Reddit and from the now-suspended Twitter account @54BB47h.
According to a blog post, security researchers at Mandiant said that in this extortion attempt, hackers demanded a multi-million-dollar ransom payments after deploying ransomware. Media reports indicated that the group took the unusually aggressive step of emailing staff, parents and even students directly to further apply public pressure on the school district.
Mandiant said the hackers used public data leaks to extort the victims to pay ransom demands as well as a public shaming blog. They added that the new Sabbath public shaming web portal and blog first published in October 2021 is identical to that of Arcane from June 2021.
“This included the same text content, and minor changes to the name, color scheme, and logo. The threat actor kept consistent grammatical errors in their updated web forums,” researchers said.
There were also a few technical changes made to the affiliate model used to carry out the attacks between the rebranding from Arcane to Sabbath. Infrastructure from both ransomware affiliate services remained unchanged.
RELATED RESOURCE
The best defence against ransomware
How ransomware is evolving and how to defend against it
Researchers said that the hackers have targeted critical infrastructure including education, health, and natural resources in the US and Canada since June 2021.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“The targeting of critical infrastructure by ransomware groups has become increasingly concerning as evidenced by governments moving to target ransomware actors as national security level threats with particular attention to groups that target and disrupt critical infrastructure,” Mandiant said.
While Sabbath is a lesser-known and potentially a smaller ransomware affiliate group, its smaller size and repeated rebranding have allowed it to avoid much public scrutiny. Researchers said that ransomware data theft operations affecting healthcare have increased from January 2020 to June 2021, despite some groups claiming they would avoid targeting hospitals.
Researchers observed two occasions where the ransomware operator provided its affiliates with pre-configured Cobalt Strike BEACON backdoor payloads.
“While the use of BEACON is common practice in ransomware intrusions, the use of a ransom affiliate program operator provided BEACON is unusual and offers both a challenge for attribution efforts while also offering additional avenues for detection,” they added.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
AWS CEO Matt Garman just said what everyone is thinking about AI replacing software developers
News Junior developers aren’t going anywhere, according to AWS CEO Matt Garman
-
Workday snaps up AI-powered conversation recruitment platform, Paradox
News Workday will integrate Paradox’s AI-driven candidate experience agent to help deliver talent faster
-
Average ransom payment doubles in a single quarter
News Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new group
News The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
-
Google cyber researchers were tracking the ShinyHunters group’s Salesforce attacks – then realized they’d also fallen victim
News In an update to an investigation on the ShinyHunters group, Google revealed it had also been affected
-
Nearly one-third of ransomware victims are hit multiple times, even after paying hackers
News Many ransomware victims are being hit more than once, largely thanks to fragmented security tactics
-
75% of UK business leaders are willing to risk criminal penalties to pay ransoms
News A ransom payment ban is a great idea - until you're the one being targeted...
-
The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
News The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year