Disclosure context

About Sabbath

Sabbath is a relatively obscure ransomware group that emerged in November 2021, operating with apparent financial motivations and targeting a limited number of victims across telecommunications and education sectors. The group's origin and affiliations remain largely undocumented in public threat intelligence reporting, with no confirmed details about their operational structure or whether they operate as an independent entity or part of a broader ransomware-as-a-service ecosystem. With only 17 known victims primarily concentrated in the United States and United Kingdom, Sabbath appears to focus on telecommunications and education sectors, though specific details about their initial access vectors, encryption methods, or use of double extortion tactics have not been extensively documented by major security firms or government agencies. The group has not been associated with any widely publicized high-profile attacks or significant law enforcement actions, suggesting a lower operational profile compared to major ransomware families. Current intelligence indicates limited visibility into Sabbath's ongoing activities, with insufficient public documentation to definitively assess whether the group remains active, has ceased operations, or has undergone rebranding. The group has been linked to 17 public disclosures across our corpus. First observed on a leak site on November 22, 2021; most recent post February 28, 2022. The operation is currently inactive.

Timeline of this disclosure

January 4, 2022Summit College listed by Sabbathon the group's public leak site

Sector and geography

This disclosure adds to ransomware activity in the Education sector, which has 694 disclosures indexed across all operators we track.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.

Ransomware victim disclosure

← All victims

Summit College

Claimed by Sabbath · listed 4 years ago

53m

Age

since listed · data leaked

Status timeline

Listed
Jan 4, 2022
Data leaked

At a glance

Group: Sabbath
Status: Data leaked
Sector: Education
Listed on leak site: Jan 4, 2022

Source

Indexed 4 years ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.