Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label ransomware evolution. Show all posts
ransomware evolution
Albabat ransomware Cross-platform malware Cybersecurity Threats GitHub ransomware malware ransomware evolution

Albabat Ransomware Evolves with Cross-Platform Capabilities and Enhanced Attack Efficiency

 

Cybersecurity researchers at Trend Micro have uncovered new variants of the Albabat ransomware, designed to target multiple operating systems and optimize attack execution.

Albabat ransomware 2.0 now extends beyond Microsoft Windows, incorporating mechanisms to collect system data and streamline operations. This version leverages a GitHub account to store and distribute its configuration files.

Trend Micro researchers identified ongoing development efforts for another iteration, version 2.5, which has not yet been deployed in live attacks.

"This use of GitHub is designed to streamline operations," researchers stated, emphasizing the evolving nature of ransomware tactics.

Albabat, originally written in Rust, was first detected in November 2023. The programming language facilitates its ability to locate and encrypt files efficiently.

Trend Micro analysts examined the ransomware’s functionality, revealing its selective encryption process. The malware specifically targets files with extensions such as .themepack, .bat, .com, .cmd, and .cpl, while bypassing system folders like Searches, AppData, $RECYCLE.BIN, and System Volume Information.

To evade detection and disrupt security defenses, version 2.0 terminates critical processes, including taskmgr.exe, processhacker.exe, regedit.exe, code.exe, excel.exe, powerpnt.exe, winword.exe, and msaccess.exe.

Further analysis uncovered that Albabat ransomware connects to a PostgreSQL database to log infections and manage ransom payments. This data tracking mechanism assists attackers in making financial demands, monitoring infections, and monetizing stolen information.

Notably, the ransomware’s configuration includes specific commands for Linux and macOS, suggesting that binaries have been developed to expand its reach across platforms.

Trend Micro found that the ransomware utilizes the GitHub repository billdev.github.io to store its configuration files. The account, created on February 27, 2024, is registered under the pseudonym “Bill Borguiann.”

While the repository remains private, an authentication token extracted via Fiddler revealed continued access. A review of commit logs indicates active development, with the most recent modification recorded on February 22, 2025.

A folder labeled “2.5.x” was discovered within the GitHub repository, pointing to an upcoming version of Albabat ransomware. Although no ransomware binaries were detected in this directory, researchers found a config.json file containing newly introduced cryptocurrency wallet addresses for Bitcoin, Ethereum, Solana, and BNB. However, no transactions have been identified in these wallets to date.

"The findings demonstrate the importance of monitoring indicators of compromise (IoCs) for staying ahead of constantly evolving threats like Albabat," Trend Micro researchers advised.

Tracking IoCs enables cybersecurity teams to identify attack patterns and develop proactive defense mechanisms against emerging ransomware threats.
Read more »
Subscribe to: Posts (Atom)