SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rollcoast (Back to overview)

ROLLCOAST

aka: Sabbath, S4bb47h, Arcane

ROLLCOAST is a ransomware program that encrypts files on logical drives attached to a system. ROLLCOAST is a Dynamic Linked Library (DLL) with no named exports. When observed by Mandiant it uniquely had only one ordinal export 0x01. This suggested the sample was designed to avoid detection and be invoked within memory, possibly through BEACON provided to affiliates. Incident responders working on similar intrusions should capture memory for analysis.

References
2021-11-29MandiantBrandan Schondorfer, Tyler McLellan
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again
Cobalt Strike ROLLCOAST

There is no Yara-Signature yet.