High

Analysis Summary

Albabat ransomware is evolving, signaling an expansion of its attack scope beyond just Windows systems to include Linux and macOS platforms. Researchers recently identified versions 2.0.0 and 2.5 of Albabat, which gather system and hardware information from both Linux and macOS, alongside their existing Windows-based attacks. This change enhances the ransomware’s potential to affect a wider range of organizations, leading to reputational, operational, and financial damages.

One key aspect of these newer versions is the use of GitHub for streamlining operations. The ransomware retrieves its configuration data via the GitHub REST API, using a “User-Agent” string labeled “Awesome App.” The configuration reveals specific details about its behavior, such as which folders to ignore (e.g., “AppData,” “$RECYCLE.BIN”) and which file extensions to target for encryption. It also terminates certain processes and stores collected data in a PostgreSQL database, likely for ransom demands or further exploitation.

The GitHub repository, currently private but accessible through an authentication token, is registered under the pseudonym “Bill Borguiann.” It contains ongoing updates, with a folder labeled “2.5.x” indicating that a new version of the ransomware is in development, featuring cryptocurrency wallets.

Impact

• Financial Loss
• Reputational Damage
• Data Theft

Indicators of Compromise

MD5

• 2a78ca5302034ed8efcc52313750b634

• 36e7c148b1812fc36949f1aea2c7f0e4

• 80888adbf3be1bceb8349a1d6602272b

• e8a8002fce70e51116a33b41c57a762e

• b4df1972d7ea7079a4dfaa7f7b2158f3

SHA-256

• 13d128038c341e850b55bc900ecee93496521c74bd9f3f8ea63e86042c5b6a9b

• e58b3a701c3fc74a64ec0f4b7cee3550245c93b2f020f0f7bd0304ad855fc32a

• 963570ba538aa5cac746bd5037847e8b346fc8a052617f6f4dbd12aefbd3c8da

• f02db098f98d362925ce997ee6c8c0cfc8f509d135a6b94c7a18a67e418243d4

• 7057e38c383528f0645bb8b31d7ac4c855d30719ca2671345cc88e82dc968f36

SHA1

• 1cc2d1f2a991c19b7e633a92b1629641c019cdeb

• c7c52fdaecf325dfaf6eda14e0603579feaed40a

• 8a3ea65147a156d381d8f1773e91eb8e0f6b1e40

• 8de54cad9d6316679580c91117b484acb493ab72

• d67dc8c4232a3943a66608d62874923e9a3fb628

Remediation

• Maintain up-to-date, secure backups of all critical data and regularly test restoration processes.
• Implement network segmentation to limit the spread of ransomware across systems.
• Regularly update and patch software and operating systems to close known vulnerabilities.
• Monitor and block access to known malicious domains and IPs used by ransomware.
• Use advanced endpoint protection and intrusion detection systems to detect and block ransomware activities.
• Implement access controls and least privilege policies to restrict unauthorized access to sensitive data and systems.
• Regularly audit and review system configurations to ensure there are no vulnerabilities or misconfigurations.