Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again

Written by: Tyler McLellan, Brandan Schondorfer

In September 2021, Mandiant discovered a post on exploit.in seeking partners for a new ransomware affiliate program. By October 21, 2021, the 54BB47h (Sabbath) ransomware shaming site and blog were created and quickly became the talk of security researchers. In contrast with most other affiliate programs, Mandiant observed two occasions where the ransomware operator provided its affiliates with pre-configured Cobalt Strike BEACON backdoor payloads. While the use of BEACON is common practice in ransomware intrusions, the use of a ransom affiliate program operator provided BEACON is unusual and offers both a challenge for attribution efforts while also offering additional avenues for detection.

Mandiant Advanced Practices began proactively identifying similar BEACON infrastructure across past Mandiant Consulting engagements, Advanced Practices external adversary discovery program, and commercially available malware repositories. Through this analysis, Advanced Practices linked the new Sabbath group to ransom activity under previously used names including Arcane and Eruption.

UNC2190, operating as Arcane and Sabbath, has targeted critical infrastructure including education, health, and natural resources in the United States and Canada since June 2021. The targeting of critical infrastructure by ransomware groups has become increasingly concerning as evidenced by governments moving to target ransomware actors as national security level threats with particular attention to groups that target and disrupt critical infrastructure.

Stealthy Ransomware

In July 2020, UNC2190 deployed ROLLCOAST ransomware while branded as Eruption. Mandiant has not observed samples of UNC2190-deployed ransomware in 2021 and no samples of ROLLCOAST have ever been submitted to VirusTotal. In the following sections, some of the technical reasons why UNC2190’s ransomware has evaded capture and discovery will be discussed.

Next Level Extortion and ‘Backup Killers’

Sabbath first came to light in October 2021 when the group publicly shamed and extorted a US school district on Reddit and from a now suspended Twitter account, @54BB47h. During this recent extortion, the threat actor demanded a multi-million-dollar payment after deploying ransomware. Media reporting indicated that the group took the unusually aggressive step of emailing staff, parents and even students directly to further apply public pressure on the school district.

UNC2190 uses a multifaceted extortion model where ransomware deployment may be quite limited in scope, bulk data is stolen as leverage, and the threat actor actively attempts to destroy backups.

The threat actor has utilized public data leaks to extort the victims to pay ransom demands. While Sabbath operates a public shaming blog, Mandiant only observed victims being publicly extorted beginning in mid-November 2021, where 6 victims were added over the span of two days. Previously under the Arcane brand, Mandiant observed three victims publicly extorted in June 2021.

Arcane Rebranded

Mandiant discovered that the new Sabbath public shaming web portal and blog first published in October 2021 is nearly identical to that of Arcane from June 2021. This included the same text content, and minor changes to the name, color scheme, and logo. The threat actor kept consistent grammatical errors in their updated web forums.

Behind the scenes, few technical changes were made to the affiliate model used to carry out the attacks between the rebranding from Arcane to Sabbath. BEACON samples and infrastructure from both ransomware affiliate services remained unchanged. The malware sample PE compile times were identical on Themida-packed BEACON droppers used by the threat actor (such as md5 6bd1a3849bb9d5f9ac5b4f4049081334 and 38667bc3ad2dcef35a5f343a5073e3f2).

Hunting for UNC2190 BEACON Samples

Since July 2020, UNC2190 has utilized BEACON with unique Malleable profile elements, including:

• GET requests ending with kitten.gif, such as:
  • hxxps://markettc.biz/gifs/ZsoCzxU-X-5D3ZhV2zzKgc8SHhygCYmWpBRCS_mRV_SZxyWaaSPw7FFtcZ66twQ_uTDp5Edls
    mRa6K8GPtMVBnKOHhM6EgcnE4znZPiyXskZJXmHLSYAnkpLwhOrxyCoRkFthelDg
    VnuW7k3UVzDjEz3W4xuxSKBq2DuseaG-F0dob1M/kitten.gif
• POST variable “image_url”, points to a specific image hosted on popular Russian social media site VK: hxxps://sun9-23.userapi.com/G4JvdZDEfLdIPlNN1-JkMGQ2unf2KEIV54Om5g/abJ70jGHfVk.jpg
• User agent, such as: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"

Mandiant discovered additional infrastructure similarities utilized by UNC2190 including:

• Actual IPs masked using a cloud service.
• Self-signed TLS certificate common name “Microsoft IT TLS CA 5”

Evolving to Evade Antivirus Detection

In March 2021, Mandiant Consulting observed an intrusion for another tracked UNC group where antivirus had detected and blocked two attempts to load a BEACON payload which Mandiant attributes to UNC2190. Subsequently, a different tracked threat actor deployed different ransomware at this victim with more success. Starting July 6, 2021, Mandiant detected the use of Themida to pack UNC2190 BEACON malware and protect it from detection.

ROLLCOAST Ransomware Deep Dive

In July 2020, Mandiant first detected ROLLCOAST ransomware usage by UNC2190. ROLLCOAST

is a ransomware program that encrypts files on logical drives attached to a system. ROLLCOAST is a Dynamic Linked Library (DLL) with no named exports. When observed by Mandiant it uniquely had only one ordinal export 0x01. This suggested the sample was designed to avoid detection and be invoked within memory, possibly through BEACON provided to affiliates. Incident responders working on similar intrusions should capture memory for analysis. ROLLCOAST was not written to disk during this intrusion and was only detected in memory by Mandiant.

The malware begins by checking the system language and exits if it detects a non-supported language code from the table below. Many other ransomware families have similar checks to avoid encrypting systems in Russia and other Commonwealth of Independent States member countries presumably to avoid attracting the attention of law enforcement in countries where the ransomware operator and affiliates are more likely to reside.

Language Exclusions

ROLLCOAST will exit if the system language matches one of the following:

Similarities to Tycoon

Mandiant compared elements of ROLLCOAST to elements of Tycoon ransomware and found some similarities:

• Both ransomware families encrypt files using AES in GCM mode
• Overlap between the ignored directories, files, and extensions including the ignored extension “.lolz”.

This suggests the developers modelled ROLLCOAST on, or copied elements from, Tycoon ransomware. ROLLCOAST and TYCOON differ in their overall implementations: TYCOON is a Java based ransomware whereas ROLLCOAST is not. In addition, there is functionality in the publicly reported TYCOON that ROLLCOAST does not appear to have (shell commands, backup tampering, firewall tampering, wmic).

ROLLCOAST Strings

FOUND DEVICE:
Start encryption of %s
[-] Failed to init dir traverse for: %s
Finished encryption of %s
Work out other countries. Don't be fool!
Hello from test.dll. Parameter is '%s'
Hello from test.dll. There is no parameter
Microsoft Primitive Provider
[-] AES FAILED 1: STATUS_NOT_FOUND
[-] AES FAILED 1: STATUS_INVALID_PARAMETER
[-] AES FAILED 1: STATUS_NO_MEMORY
[-] AES FAILED 1: UNDEFINED
ChainingModeGCM

ROLLCOAST Encrypted File Naming Convention

Files are encrypted and renamed to this format: .[].

Example encrypted file recovered from VirusTotal:

covid results from .pdf.[6EEC0F355072].54bb47h

Conclusion

Although UNC2190 is a lesser known and potentially a smaller ransomware affiliate group, it’s smaller size and repeated rebranding has allowed it to avoid much public scrutiny. In Mandiant’s 2021 Trends and 2022 Predictions report, ransomware data theft operations affecting healthcare are noted as having increased from January 2020 to June 2021, despite some groups claiming they would avoid targeting hospitals. UNC2190 has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering. This highlights how well-known tools, such as BEACON, can lead to impactful and lucrative incidents even when leveraged by lesser-known groups.

Acknowledgements

With thanks Joshua Shilko for analytical contributions, Barry Vengerik, Tufail Ahmed, Isif Ibrahima, Andrew Thompson, Jake Nicastro, Nick Richard, and Moritz Raabe for technical review, and all the Mandiant Researchers, Consultants, Advanced Practices External Collectors, and FLARE REs for support, research, and assistance to create the content of this post.

MITRE ATT&CK

Mandiant has observed UNC2190 use the following techniques:

Yara Signatures

Note: FE_Hunting rules are designed to broadly capture suspicious files and are not designed to detect a particular malware or threat.

rule FE_Hunting_THEMIDA_strings_FEBeta
{
    meta:
        author = "Mandiant"
        date_created = "2021-10-26"
        date_modified = "2021-10-26"
        md5 = "7669f00b467e2990be182584b341c0e8"
        rev = 2
        sid = 415583
    strings:
        $themida = ".themida" nocase
    condition:
        uint16(0) == 0x5A4D and filesize < 20MB and (@themida[1] < 1024)
}

rule FE_Ransomware_Win64_ROLLCOAST_1
{
    meta:
        author = "Mandiant"
        date_created = "2020-07-15"
        date_modified = "2020-07-15"
        md5 = "45882426ecddb032981fd6c299b3cc47"
        rev = 2
    strings:
        $sb1 = { 48 8D [5] 48 8D ?? 24 ?? E8 [4-32] B? 30 00 00 00 [8-64] 25 FF F9 FF FF 0F BA E8 0B }
        $sb2 = { FF D? 85 C0 0F 84 [4] 48 8D [2-16] 83 E8 06 0F 84 [4] 83 E8 08 0F 84 [4] 83 E8 0F }
        $sb3 = { 41 B8 C5 02 00 00 0F 10 00 0F 10 48 10 0F 11 02 0F 10 40 20 0F 11 4A 10 0F 10 48 30 0F 11 42 20 0F 10 40 40 0F 11 4A 30 0F 11 42 40 89 4A 50 0F B6 48 54 88 4A 54 33 D2 49 8B C9 8B C2 48 8D 49 01 83 E0 0F FF C2 42 0F B6 84 08 [2] 00 00 30 41 FF 49 83 E8 01 75 E3 }
        $sb4 = { FF 15 [4] 05 E7 FB FF FF 83 F8 2B }
        $ss1 = "\x00Program Files\\" wide
        $ss2 = "\x00Program Files (x86)\\" wide
        $ss3 = "\x00.[\x00"
        $ss4 = "\x00].\x00"
    condition:
        (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them and (#ss1 > 5) and (#ss2 > 5)
}

Indicators