Sabbath is a ransomware family referenced in Microsoft reporting as one of the ransomware-as-a-service payloads deployed by the financially motivated threat actor Storm-0501. Microsoft reported Storm-0501 has been active since 2021 and initially deployed Sabbath ransomware in attacks against United States school districts and other education entities in 2021. Later reporting states Storm-0501 encrypted victim environments using multiple RaaS families, including Sabbath, Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo.
Based on the provided content, Sabbath is used for file encryption in victim environments as part of financially motivated extortion operations. The associated intrusion activity attributed to Storm-0501 includes exploitation of known vulnerabilities in public-facing services such as Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler "Citrix Bleed" (CVE-2023-4966), and Adobe ColdFusion 2016 vulnerabilities (CVE-2023-29300 or CVE-2023-38203); credential theft via brute force, Impacket SecretsDump/DCSync, and KeePass theft; lateral movement with tools such as Evil-WinRM, PowerShell, Cobalt Strike, and RMM software; and exfiltration to MEGA/MegaSync or attacker infrastructure using AzCopy and Rclone. The actor also deletes snapshots, restore points, storage accounts, and backup services to inhibit recovery, and conducts double extortion by stealing data and threatening publication if payment is refused.
Targeting associated with Storm-0501 in the supplied content includes education entities, U.S. government, manufacturing, transportation, law enforcement, healthcare, and hybrid on-premises/Entra ID/Azure environments. High-confidence indicators and artifacts in the content are tied primarily to Storm-0501 operations rather than uniquely to Sabbath itself, including use of a self-signed TLS certificate named "Microsoft IT TLS CA 5" and masqueraded Rclone binaries named svhost.exe and scvhost.exe.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Active since 2021, the threat actor has a history of targeting education entities with Sabbath (54bb47h) ransomware...
1 distinct technique documented for this family, organized by ATT&CK tactic.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware payload used by Storm-0501 in earlier operations (notably 2021) to encrypt victim systems as part of extortion activity.
Ransomware used by Storm-0501 earlier in its activity, including targeting education entities.
RaaS ransomware referenced as used by Storm-0501 (no further details provided).
Ransomware used by Storm-0501 to encrypt victim files as part of RaaS operations.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.