Disappearing Backups May Be the First Sign of a Ransomware Attack

Some ransomware groups pretend to be nice guys. Sure, they are out to make money by stealing data from big companies and holding it for ransom, but they say they will not attack hospitals and critical infrastructure. Well, it’s far more likely that they chose this ‘humanitarian’ crime path not because of some misguided sense of morals but out of fear of walking into the crosshairs of government intelligence agencies.

Other ransomware groups don’t even pretend to have morals. This includes a group called, ironically, Sabbath. They actively target healthcare and infrastructure with ransomware attacks. Why? Because these are the sectors that are most likely to pay the ransom. It’s all about the money. As the Sabbath group mentions in their ransom note, “our main and only interest is money.” Well, at least they’re honest about it.

Sabbath has been around for a while, but it has operated under different names. This ransomware-as-a-service (RaaS) group was originally known as UNC2190 but has changed its name to Eruption and Arcane over the past year, probably in an effort to elude law enforcement. The Sabbath group gets its name from the extension it uses on its encrypted files, 54BB47h. Supposedly, if you look at this the right way, you can see the word, ‘Sabbath’.

Most of the time, there’s nothing new about the way Sabbath gets into a network in order to encrypt the data within it. It’s the usual spearphished employee who the criminals trick into somehow handing over their network login credentials. It’s what happens once the Sabbath gets into the network that differentiates it from other ransomware attacks.

In the good ol’ days of ransomware, the criminals were happy just to get into a network and encrypt everything. They would then send a message to the victim saying that their network was encrypted and that they must pay in bitcoins to get the decryption key. Sometimes the victim got the key, sometimes they didn’t.

But some companies were reluctant to pay and, after all of their hard work, the criminals got nothing and those buying into the RaaS model (so-called affiliates) got nothing. Some companies had backups so they didn’t care if their network was decrypted. It may have taken some time, but they could rebuild what they lost from backups and save themselves millions of dollars. Other companies simply couldn’t afford the ransom so they hoped someone would find a decryption key. And, as ransomeware attacks increased, more and more companies simply learned how to avoid becoming victims.

Unsatisfied with their original model, the ransomware criminals tried another angle. They would have their malware look through the breached network and target those files which contained sensitive data. Before encrypting these files, they would steal them. Later, they could use these files in extortion attempts. The criminals would give the victims a certain amount of time to pay the ransom. If they did not pay, the ransom could be increased and, what’s more, they may publicly leak or sell some of the files. But the criminals were not without a heart, many claimed they were willing to negotiate or would even decrypt a few files as a show of good will. In fact, some ransomware groups let the victims choose which files they wanted decrypted. But if these displays of empathy went unnoticed, the criminals would go to the nest step.

Those victims who did not respond would have themselves placed on a “Wall of Shame”. This means a company’s data would be leaked or auctioned off so that all sensitive information could be available to any other hacking group that saw benefits in it. Sabbath took this a step further. They contacted people whose data may be released and told them that they should put pressure on their company to pay the ransom, otherwise, they would personally be in trouble.

From the information given above, it would seem to be a good move for these groups to take out network backups as soon as they could. There are a number of ways they can do this. One is to get the credentials of a user who can access backups, sign in with those credentials, and begin sending the files in the backup folders back to the ransomware group’s servers. When completed, they can encrypt or destroy the backups and prepare to encrypt the rest of the network.

There are basically two ways for a large company to enable backups. They can pay for cloud storage or they can use their own special network backup device. These are called NAS devices or Network Attached Storage devices. These are relatively small, box-like objects that can store many terabytes of data. One example of such a device is pictured below.

Sometimes these devices are only accessible while within the enterprise network but others can be open to the internet. Especially in these times of lockdowns and work-from-home options, more people need internet access to network storage. Sadly, this is exactly what ransomware groups are looking for. If they find a NAS device open to the internet, they will begin their attack on a company through the NAS device by exploiting known vulnerabilities in it. The network backups, in this case, will disappear or be inaccessible long before the actual ransomware attack begins. This is why backup problems need to be taken seriously.

According to the Mandiant report on Sabbath, the group actively targets backups. However, in one of their most recent attacks, Sabbath seems to have exhibited even more skills. In an attack on an Italian regional healthcare provider, Regional Health Authority ASL Napoli 3 Sud, they claim to have encrypted 240 virtual machines on the network, some of which, no doubt, were used for backups. Because of the multiple connections this company has with healthcare providers throughout this region in Italy, massive amounts of data on patients and employees became available. The company has not admitted that it was attacked. All you will see on their site is a barely visible notice saying, “We apologize to users for any disruptions on our computer systems due to a claim that we are resolving in order to restore activities as soon as possible.” (translated from Italian) However, the Sabbath blog site, which is, oddly, on the open internet, gives ample evidence that they control the organization’s network.

But it goes even deeper than this. The attackers claim that they were able to circumvent the protection provided by a cybersecurity firm called, Cortex XDR. As the attackers note, “we can say that neither the IT team nor the IDS Cortex XDR coped with the task and were unable to successfully protect the network perimeter and internal resources.” 

If this is true, and it seems it is, then this healthcare enterprise should ask Cortex XDR for its money back and use it to purchase some valid endpoint protection.

The criminals released 1.5GB of information when the company would not negotiate with them. The information was tested by Italian cybersecurity news site, Red Hot Cyber, and was found to contain reams of personal information as well as information on companies connected to this healthcare enterprise.

If you think that attacking a healthcare service is going too far, keep in mind that most of these criminal groups try to market themselves as pentesters. As Sabbath puts it in their ransom note,

 “Congratulations! I want to inform you that your company was randomly selected for auditing, and you did not pass it. All your servers are encrypted, as are your backups. Our encryption algorithms cannot be decrypted in the same way as your company’s data and infrastructure. However, do not be nervous, because you will restore all your infrastructure and data!”

Oh, I see. They did a pentesting of your corporate network for free. Wow! What luck that they found vulnerabilities in your network! Now, they expect you to pay them for the free work they did.

Sabbath is probably a Russian-based group but with members, or affiliates, in other countries around the world. You can tell this by seeing which countries, or languages, they will not attack. Here is a list of these.  If your country or the language of your network is found here, it is safe. It means that an affiliate is working in these countries and they do not want that affiliate to get into trouble.

Note that English is not on this list, meaning that counties like the UK, Canada, and the U.S. are more likely to be in danger of a Sabbath hack. Italian is also not on the list, which shows why ASL Napoli 3 Sud was attacked.

Sabbath may stay around with that name for a while longer before it renames itself. However, whatever it chooses to call itself, it is positioning itself as a threat to U.S. healthcare and infrastructure. Eventually, they will overreach and attack something that the intelligence community will find unacceptable as human lives may be involved. I’ll update this post if any changes occur.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s