The Albabat ransomware group has been observed expanding its operations to target not only Windows but also Linux and macOS systems, marking a significant evolution in its capabilities.
This development was uncovered by Trend Research, which noted that the group is utilizing GitHub to streamline its ransomware operations.
The use of GitHub allows the attackers to manage their configuration files efficiently, enhancing the sophistication and reach of their attacks.
Expanding Targets and Operational Efficiency
Early versions of the Albabat ransomware were detected in late 2023 and early 2024.
However, recent versions, including 2.0.0 and 2.5, have been found to gather system and hardware information from Linux and macOS systems, in addition to targeting Windows.
These new variants retrieve their configuration data through the GitHub REST API, using a “User-Agent” string labeled “Awesome App.”
This configuration provides crucial details about the ransomware’s behavior and operational parameters, indicating that these variants belong to Albabat version 2.0.
The ransomware ignores specific folders during its operation, such as Searches, AppData, and System Volume Information, while encrypting a wide range of file extensions, including .exe, .dll, .mp3, and .pdf.
It also terminates processes like taskmgr.exe, regedit.exe, and chrome.exe to prevent interference with its activities.
The attackers use a PostgreSQL database to track infections and payments, storing stolen data such as system details, user information, and geolocation data.
GitHub’s Role in Ransomware Operations
The GitHub repository billdev.github.io is used to store and deliver configuration files for the ransomware.
Although the repository is private, it remains accessible through an authentication token observed during network traffic analysis.
According to Trend Micro Report, this setup allows the attackers to manage their operations centrally and update their tools efficiently.
The repository’s commit history shows active development, with a significant increase in activity during specific hours, indicating a focused effort to enhance the ransomware’s capabilities.
To mitigate the risks posed by the Albabat ransomware, organizations should implement robust security measures.
This includes maintaining regular backups, segmenting networks to limit the spread of malware, and updating systems to patch vulnerabilities.
User training is also crucial to prevent initial infections through phishing attempts or suspicious links.
By staying vigilant and leveraging threat intelligence tools, enterprises can proactively defend against evolving ransomware threats like Albabat.
