HQ/EMEAFind out how we can help your business
The latest versions of the Albabat ransomware could allegedly allow threat actors to target multiple operating systems and upgrade the efficiency of its operations.
Recent reports show that the new version of ransomware collects system and hardware details on Linux and macOS in addition to Microsoft Windows. Moreover, this version stores and delivers ransomware configuration files via GitHub.
Researchers suspect that using GitHub would allow ransomware operators to streamline their attack process. In addition, they discovered indications of the development of another Albabat strain that has yet to circulate in the cybercriminal environment.
These discoveries show how ransomware tools and strategies are rapidly evolving to broaden and intensify attacks. Albabat, a ransomware version developed in Rust that identifies and encrypts files, was first detected in November 2023.
The new Albabat ransomware strain targets specific files.
According to investigations, the Albabat ransomware version 2.0’s configurations could only encrypt specific files. These confirmed files include themepack, [.]bat, [.]com, [.]cmd, and [.]cpl.
It ignores folders like Searches, AppData, $RECYCLE.BIN, and System Volume Information. The updated version also terminates processes, including taskmgr.exe, processhacker.exe, regedit.exe, code.exe, excel.exe, powerpnt.exe, winword.exe, and msaccess.exe.
This tactic will likely help bypass detection and turn off security programs or services that may interfere with encryption.
Furthermore, the researchers discovered that the ransomware uses a PostgreSQL database to track infections and payments. This information allows the ransomware operators to make ransom demands, track infections, and sell victims’ data.
Notably, the setups include commands for Linux and macOS, indicating that binaries have been built for these platforms. The researchers also discovered that the GitHub repository billdev.github.io stores and distributes configuration files for the Albaba ransomware.
The GitHub page was developed in February last year, and the account is registered using “Bill Borguiann,” which is most likely an alias or pseudonym. Although the ransomware repository is temporarily private, it is still accessible via an authentication token detected in Fiddler during the connection.
The repository’s commit history reveals that ransomware is still being actively developed. The user is mostly updating the configuration code. The most recent commit occurred last month. Therefore, this strain will likely undergo another update to become a more potent threat across various platforms.
