UNC2190 – Arcane and Sabbath
Industry: Critical Infrastructure, Education, Health & Natural Res. | Level: Strategic | Source: Mandiant
Mandiant’s latest research on ransomware affiliates focused on UNC2190, operating as Arcane and Sabbath (potentially a rebranding to Sabbath). The threat group is identified to be targeting critical infrastructure groups in the United States and Canada, as well as sectors in education, health, and natural resources. The malware of interest, ROLLCOAST/Eruption was observed to have infected/compromised companies/users. However, since it was identified, no evidence of the code has been identified, VirusTotal is a source where people consistently upload samples so having a long time of no being able to submit a copy of the ransomware for review for roughly 2 years now is relevant. The group uses a multifaceted extortion model, stealing data in bulk and actively destroying backups, victims are then threatened to meet ransom demands over potential data leaks. Mandiant has observed six victims being publicly extorted over the span of two days in mid-November. On the tactical side, UNC2190 is known to use cobalt strike with a malleable profile, some elements include GET requests ending with “kitten.gif” and the usage of signed TLS certificate “Microsoft IT TLS CA 5.” Known elements of the ROLLCOAST ransomware is that it’s a DLL file, only detected in memory and the malware conducts a language check terminating if it matches one of 43 different languages.