Albabat Ransomware Group Potentially Expands Targets to Multiple OS Uses GitHub to Streamline Operations

March 21, 2025, 2:46 p.m.

Description

The Albabat ransomware group has evolved its malware to target Windows, Linux, and macOS devices, as evidenced by new versions 2.0.0 and 2.5. The group is using GitHub to streamline operations, storing configuration files and essential components. The ransomware ignores specific folders, encrypts certain file extensions, and kills various processes. It collects system information and stores it in a PostgreSQL database. The GitHub repository, created in February 2024, shows active development with increased activity during specific hours. A newer version 2.5 is likely in development, introducing new cryptocurrency wallets. To mitigate the threat, organizations should implement regular backups, network segmentation, system updates, and user training.

External References

https://www.trendmicro.com/en_us/research/25/c/albabat-ransomware-group.html
https://otx.alienvault.com/pulse/67dd406ad4fcb1d2da18fd21
Tags
ransomware
cryptocurrency
encryption
github
multi-platform
2025-03-21
albabat
database
configuration
system information

Date

  • Created: March 21, 2025, 10:33 a.m.
  • Published: March 21, 2025, 10:33 a.m.
  • Modified: March 21, 2025, 2:46 p.m.

Indicators

  • f02db098f98d362925ce997ee6c8c0cfc8f509d135a6b94c7a18a67e418243d4
  • e58b3a701c3fc74a64ec0f4b7cee3550245c93b2f020f0f7bd0304ad855fc32a
Download all indicators here!

Attack Patterns

  • Albabat
  • Albabat
  • T1021.001
  • T1087
  • T1071.001
  • T1562.001
  • T1204.002
  • T1573
  • T1486
  • T1082
  • T1057
  • T1083
  • T1219
  • T1140
  • T1027
  • T1566
  • T1190
  • T1078