Ransomware gang targeting schools, hospitals reinvents itself to avoid scrutiny

Sabbath appears to be a rebrand of Arcane.
A laptop displays a message after being infected by ransomware. (Rob Engelaar / ANP / AFP) / Netherlands OUT (Photo by ROB ENGELAAR/ANP/AFP via Getty Images)

An under-the-radar ransomware group that’s been attacking schools, hospitals and other critical infrastructure has tried to cover its tracks by rebranding, according to findings from researchers at Mandiant.

Sabbath, a rebrand of the ransomware group Arcane, “is unfortunately not slowing down” in its attacks, Tyler McLellan, principal analyst at Mandiant, said in a statement. “They picked up their pace right into November 2021, when its public shaming portal mysteriously went offline.”

Researchers first caught onto Sabbath in October, when it held the data of a Texas school district for school for ransom. Interestingly, the group turned to social media platform Reddit to make its ransom demand. Ransomware gangs often host their own websites where they shame victims and threaten to leak data.

Sabbath eventually launched its own victim site, which researchers found nearly identical to that of a formerly active group that went by the name Arcane. The two groups also shared infrastructure, according to a Mandiant blog post Monday.


In mid-November alone, the group added six victims to its public extortion website in the span of two days. It has been able to largely fly under the radar thanks to its constant rebranding and less-prominent victims, Mandiant researchers say.

Sabbath relies on the unusual technique of providing not just the malware payload, but also a beacon to deliver it, for its ransomware affiliates — that is, cybercriminals who pay to use a ransomware group’s infrastructure. While such a tactic can make it harder to pin down if the attack is coming from an affiliate or the group itself, it also makes it easier for researchers to detect potential threats by tracking down beacons with the same configuration.

Mandiant reported some of the group’s infrastructure to Sabbath’s cloud hosting provider, resulting in several domains they were using for command and control of the software being shut down, McLellan said.

The report highlights that while major ransomware groups have laid low in recent weeks, avoiding targets that might invoke the ire of the U.S. government, there’s been no shortage of attacks against small yet extremely important public institutions.

Based on public reports, there have been at least 12 ransomware attacks impacting 41 schools, Recorded Future’s Allan Liska noted on Twitter. That includes an attack forcing a Pennsylvania community college to shut down Monday. Cybercriminals also continue to aggressively target hospitals and healthcare facilities.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts