Active since 2021, the threat actor has a history of targeting education entities with Sabbath (54bb47h) ransomware...
Sabbath
Sabbath is a ransomware family referenced in Microsoft reporting as one of the ransomware-as-a-service payloads deployed by the financially motivated threat actor Storm-0501.
Profile source: Mallory opens in a new tabSabbath
Family profile
Sabbath is a ransomware family referenced in Microsoft reporting as one of the ransomware-as-a-service payloads deployed by the financially motivated threat actor Storm-0501. Microsoft reported Storm-0501 has been active since 2021 and initially deployed Sabbath ransomware in attacks against United States school districts and other education entities in 2021. Later reporting states Storm-0501 encrypted victim environments using multiple RaaS families, including Sabbath, Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo.
Based on the provided content, Sabbath is used for file encryption in victim environments as part of financially motivated extortion operations. The associated intrusion activity attributed to Storm-0501 includes exploitation of known vulnerabilities in public-facing services such as Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler "Citrix Bleed" (CVE-2023-4966), and Adobe ColdFusion 2016 vulnerabilities (CVE-2023-29300 or CVE-2023-38203); credential theft via brute force, Impacket SecretsDump/DCSync, and KeePass theft; lateral movement with tools such as Evil-WinRM, PowerShell, Cobalt Strike, and RMM software; and exfiltration to MEGA/MegaSync or attacker infrastructure using AzCopy and Rclone. The actor also deletes snapshots, restore points, storage accounts, and backup services to inhibit recovery, and conducts double extortion by stealing data and threatening publication if payment is refused.
Targeting associated with Storm-0501 in the supplied content includes education entities, U.S. government, manufacturing, transportation, law enforcement, healthcare, and hybrid on-premises/Entra ID/Azure environments. High-confidence indicators and artifacts in the content are tied primarily to Storm-0501 operations rather than uniquely to Sabbath itself, including use of a self-signed TLS certificate named "Microsoft IT TLS CA 5" and masqueraded Rclone binaries named svhost.exe and scvhost.exe.
Ransomware.live
Operational record
Reported operators
Threat actors
1 named in public reportingMITRE ATT&CK
Sabbath in ATT&CK
1 distinct techniquesTechniques
1 techniqueReporting
Research mentioning Sabbath
Storm-0501’s evolving techniques lead to cloud-based ransomware | Microsoft Security Blog
"The threat actor initially deployed Sabbath ransomware in an attack against United States school districts in 2021."
Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks
Active since 2021, the threat actor has a history of targeting education entities with Sabbath (54bb47h) ransomware...