All You Need To Know About Ransomware Group , 54bb47h (Sabbath)

CloudSEK’s Threat Intelligence Research team analyzed the profile of the ransomware group named 54bb47h (Sabbath)
Updated on
April 19, 2023
Published on
November 23, 2021
Subscribe to the latest industry news, threats and resources.
Report Type Threat Actor Profiling
Research Subject 54bb47h Ransomware Group

Executive Summary

  • CloudSEK’s Threat Intelligence Research team analyzed the profile of the ransomware group named 54bb47h (Sabbath).
  • This group doesn’t have an online presence apart from an exclusively owned Onion site, where they post their activities/ updates.
  • Although the group has not highlighted any official breaches on their website, a forum user claims to have paid the group for decryption.
  • CloudSEK’s Threat Intelligence team conducted further research to analyse the group’s operations and TTPs.

Detailed Analysis

  • 54bb47h is a newly emerged ransomware group that maintains a presence on the dark web. The name of the group, which is in leetspeak, translates to Sabbath.
  • The group’s Onion website doesn’t mention any data breaches that 54bb47h may have carried out.
[caption id="attachment_18235" align="aligncenter" width="1274"] 54bb47h ransomware group’s onion site
54bb47h ransomware group’s onion site[/caption]
  • 54bb47h has garnered attention on Twitter where users suggest that the name of the group, Sabbath, could hint at the group’s origin. In Abrahamic religions the word Sabbath means “a day kept aside for worship.”
  • The ransomware group has been swamped with criticism for allowing ‘negotiations’ and ‘discounts’ to their victims. They are also offering part of the data for free, and the rest of it for sale on the ‘Blog’ section of their website.
  • Bleeping Computers’s discussion forum mentions the details of the ransomware, including a hash function which could be an IOC of the group.
Encryption format: filename.[alphabet characters].54bb47h IOC shared: SHA1: f090df3655d510eb8584cecbfe6bbdeeeaf31297
  • On the forum, a user mentions that they had paid the ransomware group for decryption, indicating that the group may have breached an entity. 
user mention on Dark web post
  • Additionally, Twitter derives some similarities between 54bb47h and Midas ransomware groups based on their ransom notes. The two groups also surfaced on the web in the same week. However, Midas has a significant list of victims.


54bb47h (Sabbath) locking message [caption id="attachment_18237" align="aligncenter" width="511"]54bb47h (Sabbath) Login portal 54bb47h (Sabbath) Login portal[/caption]

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations