All You Need To Know About Ransomware Group , 54bb47h (Sabbath)

Summary

CloudSEK’s Threat Intelligence Research team analyzed the profile of the ransomware group named 54bb47h (Sabbath)
Report Type Threat Actor Profiling
Research Subject 54bb47h Ransomware Group
TLP GREEN

Executive Summary

  • CloudSEK’s Threat Intelligence Research team analyzed the profile of the ransomware group named 54bb47h (Sabbath).
  • This group doesn’t have an online presence apart from an exclusively owned Onion site, where they post their activities/ updates.
  • Although the group has not highlighted any official breaches on their website, a forum user claims to have paid the group for decryption.
  • CloudSEK’s Threat Intelligence team conducted further research to analyse the group’s operations and TTPs.

Detailed Analysis

  • 54bb47h is a newly emerged ransomware group that maintains a presence on the dark web. The name of the group, which is in leetspeak, translates to Sabbath.
  • The group’s Onion website doesn’t mention any data breaches that 54bb47h may have carried out.
 54bb47h ransomware group’s onion site

54bb47h ransomware group’s onion site
  • 54bb47h has garnered attention on Twitter where users suggest that the name of the group, Sabbath, could hint at the group’s origin. In Abrahamic religions the word Sabbath means “a day kept aside for worship.”
  • The ransomware group has been swamped with criticism for allowing ‘negotiations’ and ‘discounts’ to their victims. They are also offering part of the data for free, and the rest of it for sale on the ‘Blog’ section of their website.
  • Bleeping Computers’s discussion forum mentions the details of the ransomware, including a hash function which could be an IOC of the group.
Encryption format: filename..54bb47h IOC shared: SHA1: f090df3655d510eb8584cecbfe6bbdeeeaf31297
  • On the forum, a user mentions that they had paid the ransomware group for decryption, indicating that the group may have breached an entity. 
user mention on Dark web post
  • Additionally, Twitter derives some similarities between 54bb47h and Midas ransomware groups based on their ransom notes. The two groups also surfaced on the web in the same week. However, Midas has a significant list of victims.

 Appendix

54bb47h (Sabbath) locking message
54bb47h (Sabbath) Login portal
54bb47h (Sabbath) Login portal

Table of Contents

Request an easy and customized demo for free