Skip to content
Ransomware group

Sabbath

Sabbath is a ransomware family referenced in Microsoft reporting as one of the ransomware-as-a-service payloads deployed by the financially motivated threat actor Storm-0501.

Profile source: Mallory opens in a new tab

Sabbath

Family profile

Sabbath is a ransomware family referenced in Microsoft reporting as one of the ransomware-as-a-service payloads deployed by the financially motivated threat actor Storm-0501. Microsoft reported Storm-0501 has been active since 2021 and initially deployed Sabbath ransomware in attacks against United States school districts and other education entities in 2021. Later reporting states Storm-0501 encrypted victim environments using multiple RaaS families, including Sabbath, Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo.

Based on the provided content, Sabbath is used for file encryption in victim environments as part of financially motivated extortion operations. The associated intrusion activity attributed to Storm-0501 includes exploitation of known vulnerabilities in public-facing services such as Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler "Citrix Bleed" (CVE-2023-4966), and Adobe ColdFusion 2016 vulnerabilities (CVE-2023-29300 or CVE-2023-38203); credential theft via brute force, Impacket SecretsDump/DCSync, and KeePass theft; lateral movement with tools such as Evil-WinRM, PowerShell, Cobalt Strike, and RMM software; and exfiltration to MEGA/MegaSync or attacker infrastructure using AzCopy and Rclone. The actor also deletes snapshots, restore points, storage accounts, and backup services to inhibit recovery, and conducts double extortion by stealing data and threatening publication if payment is refused.

Targeting associated with Storm-0501 in the supplied content includes education entities, U.S. government, manufacturing, transportation, law enforcement, healthcare, and hybrid on-premises/Entra ID/Azure environments. High-confidence indicators and artifacts in the content are tied primarily to Storm-0501 operations rather than uniquely to Sabbath itself, including use of a self-signed TLS certificate named "Microsoft IT TLS CA 5" and masqueraded Rclone binaries named svhost.exe and scvhost.exe.

Ransomware.live

Operational record

View group record ↗

Reported operators

Threat actors

1 named in public reporting
Storm-0501

Active since 2021, the threat actor has a history of targeting education entities with Sabbath (54bb47h) ransomware...

MITRE ATT&CK

Sabbath in ATT&CK

1 distinct techniques

Reporting

Research mentioning Sabbath

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.