Executive Summary

• CloudSEK’s Threat Intelligence Research team analyzed the profile of the ransomware group named 54bb47h (Sabbath).
• This group doesn’t have an online presence apart from an exclusively owned Onion site, where they post their activities/ updates.
• Although the group has not highlighted any official breaches on their website, a forum user claims to have paid the group for decryption.
• CloudSEK’s Threat Intelligence team conducted further research to analyse the group’s operations and TTPs.

Detailed Analysis

• 54bb47h is a newly emerged ransomware group that maintains a presence on the dark web. The name of the group, which is in leetspeak, translates to Sabbath.
• The group’s Onion website doesn’t mention any data breaches that 54bb47h may have carried out.

• 54bb47h has garnered attention on Twitter where users suggest that the name of the group, Sabbath, could hint at the group’s origin. In Abrahamic religions the word Sabbath means “a day kept aside for worship.”
• The ransomware group has been swamped with criticism for allowing ‘negotiations’ and ‘discounts’ to their victims. They are also offering part of the data for free, and the rest of it for sale on the ‘Blog’ section of their website.
• Bleeping Computers’s discussion forum mentions the details of the ransomware, including a hash function which could be an IOC of the group.

• On the forum, a user mentions that they had paid the ransomware group for decryption, indicating that the group may have breached an entity. 

• Additionally, Twitter derives some similarities between 54bb47h and Midas ransomware groups based on their ransom notes. The two groups also surfaced on the web in the same week. However, Midas has a significant list of victims.

 Appendix