Ransomware Roundup – Albabat | FortiGuard Labs

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This edition of the Ransomware Roundup covers the Albabat ransomware.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts victims’ files and demands ransom for file decryption
Severity level: High

Albabat Ransomware Overview

Albabat, also known as White Bat, is a financially motivated ransomware variant written in Rust that identifies and encrypts files important to the user and demands a ransom to release them. It first appeared in November 2023 with the variant Version 0.1.0. Version 0.3.0 was released in late December, followed by version 0.3.3 in mid-January 2024.

Infection Vector

The Albabat ransomware appears to be distributed as rogue software, such as a fake Windows 10 digital activation tool and a cheat program for the Counter-Strike 2 game.

Victimology

The Albabat ransomware samples were submitted to a publicly available file scanning service, and it appears to be primarily targeting companies and individuals in Argentina, Brazil, the Czech Republic, Germany, Hungary, Kazakhstan, Russia, and the United States. But because it is being distributed as fake software, the ransomware can affect anyone.

Attack Method

Once the Albabat ransomware is executed, it looks for files to encrypt. It avoids encrypting the following file types:

N2PK

abbt

arc

arz

bik

bin

bk2

cab

cat

cur

dat

desktop

dll

inf

ini

lib

lnk

log

mp2

msi

nfo

otf

pdb

pkg

pkr

pyd

qt

resource

sfx

sig

so

swf

tcl

tmp

ttf

url

vc

vdf

vfont

vpk

whl

win

wma

woff

woff2

xnb

Additional file types listed below are excluded from encryption in versions 0.3.0 and 0.3.3:

CHK

_pth

cmd

com

icls

ico

idx

mod

mp3

ogg

pickle

src

theme

vhdx

vscdb

~$

dic

lock

mui

pyc

smc

srm

Note that the file types highlighted in light green are excluded in version 0.3.0. The file types highlighted in light yellow are additional files excluded in version 0.3.3.

Files encrypted by the Albabat ransomware are given a “.abbt” file extension.

The ransomware also replaces the desktop wallpaper with its own.

The Albabat ransomware’s wallpaper claims it supports Windows and Linux platforms. However, we have not been able to locate Linux samples. Since the ransomware is written in the Rust language, which can be cross-compiled from one operating system to another, it’s possible that a Linux version will be released in the future.

Version 0.1.0 tries to terminate Chrome.exe. Starting with version 0.3.0, the ransomware also attempts to terminate the following additional processes:

taskmgr.exe

code.exe

excel.exe

powerpnt.exe

winword.exe

msaccess.exe

mspub.exe

chrome.exe

cs2.exe (the game Counter Strike 2)

steam.exe

onedrive.exe

postgres.exe

mysqlworkbench.exe

outlook.exe

windowsterminal.exe

sublime_text.exe

Version 0.3.0 and later also stops the following services:

MySQL57

MySQL80

MySQL82

postgresql-x64-14

postgresql-x64-15

Starting with version 0.3.0, the ransomware may steal from or modify the following files:

AppDataRoamingElectrumwallets

AppDataRoamingJetBrains

AppDataLocalMicrosoftOneDrive

C:Program Files (x86)SteamsteamappscommonCounter-Strike Global Offensivegamecsgocfg

D:GamessteamappscommonCounter-Strike Global Offensivegamecsgocfg

D:SteamsteamappscommonCounter-Strike Global Offensivegamecsgocfg

Version 0.3.3 adds the following entries to the Windows Hosts file to block access to certain sites:

  • 127[.]0[.]0[.]1 malware-guide[.]com
  • 127[.]0[.]0[.]1 www[.]pcrisk[.]pt
  • 127[.]0[.]0[.]1 www[.]pcrisk[.]com
  • 127[.]0[.]0[.]1 adware[.]guru
  • 127[.]0[.]0[.]1 www[.]cyclonis[.]com
  • 127[.]0[.]0[.]1 jp[.]broadcom[.]com
  • 127[.]0[.]0[.]1 www[.]broadcom[.]com
  • 127[.]0[.]0[.]1 www[.]enigmasoftware[.]com
  • 127[.]0[.]0[.]1 howtofix[.]guide
  • 127[.]0[.]0[.]1 easysolvemalware[.]com
  • 127[.]0[.]0[.]1 bbs[.]360[.]cn
  • 127[.]0[.]0[.]1 pcsafetygeek[.]com
  • 127[.]0[.]0[.]1 tria[.]ge

Once the encryption process is finished, the ransomware drops the following files:

Version 0.1.0

  • %USERPROFILE%AlbabatAlbabat.ekey
  • %USERPROFILE%AlbabatAlbabat.log
  • %USERPROFILE%AlbabatREADME.html
  • %USERPROFILE%Albabatwallpaper_albabat.jpg
  • %USERPROFILE%Albabatwwwbanner.jpg
  • %USERPROFILE%Albabatwwwfaq.html
  • %USERPROFILE%Albabatwwwscript.js
  • %USERPROFILE%Albabatwwwstyle.css

Version 0.3.0

  • %USERPROFILE%AlbabatAlbabat.ekey
  • %USERPROFILE%AlbabatAlbabat_Logs.log
  • %USERPROFILE%Albabatpersonal_id.txt
  • %USERPROFILE%Albabatwallpaper_albabat.jpg
  • %USERPROFILE%AlbabatreadmeREADME.html
  • %USERPROFILE%Albabatreadmeassetsstyle.css
  • %USERPROFILE%Albabatreadmeassetsscript.js
  • %USERPROFILE%Albabatreadmeassetsbanner.jpg
  • %USERPROFILE%Albabatreadmepagesfaq.html

Version 0.3.3

  • %USERPROFILE%AlbabatAlbabat.ekey
  • %USERPROFILE%Albabatcredits.txt
  • %USERPROFILE%AlbabatEncryption_DBG.log
  • %USERPROFILE%Albabatpersonal_id.txt
  • %USERPROFILE%Albabatwallpaper_albabat.jpg
  • %USERPROFILE%AlbabatreadmeREADME.html
  • %USERPROFILE%Albabatassetsbanner.jpg
  • %USERPROFILE%Albabatassetsscript.js
  • %USERPROFILE%Albabatassetsstyle.css
  • %USERPROFILE%Albabatpagesfaq.html

The README.html file is a ransom note instructing victims to email the attacker. It demands 0.0015 Bitcoin (approximately $64 US) for file decryption. The ransom notes dropped by versions 0.1.0, 0.3.0, and 0.3.3 are significantly different except for the format.

The ransom note has a translation option that uses the Google Translate service, allowing it to be translated into over 100 languages. When the translation option is selected, Portuguese is automatically selected as the translation language, which may indicate that this is the primary language of the ransomware developer.

Files larger than 5MB were not encrypted in our test environments, as per the ransom note.

The FAQ option opens FAQ.html, which does not differ much between variants except for item 10, which was added in version 0.3.0.

The attacker’s Bitcoin wallet had no transactions at the time of our investigation.

Data Leak Site

Although one of the Albabat ransomware samples instructs victims to visit a TOR site, the site was no longer accessible at the time of our investigation. Since there is no mention of data exfiltration in the ransom notes, it is likely that the TOR site was only used for ransom negotiations.

Fortinet Protections

Fortinet customers are already protected from this malware variant through our AntiVirus and FortiEDR services, as follows:

FortiGuard Labs detects the Albabat ransomware samples with the following AV signatures:

  • W32/PossibleThreat

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.

IOCs

Albabat Ransomware File IOCs

SHA2

e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9

ce5c3ec17ce277b50771d0604f562fd491582a5a8b05bb35089fe466c67eef54

483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74

614a7f4e0044ed93208cbd4a5ab6916695e92ace392bc352415b24fe5b2d535c

bfb8247e97f5fd8f9d3ee33832fe29f934a09f91266f01a5fed27a3cc96f8fbb

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE Fortinet Certified Fundamentals (FCF) in Cybersecurity training. The training is designed to help end users learn about today’s threat landscape and will introduce basic cybersecurity concepts and technology.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry’s leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

FortiRecon is a SaaS based Digital Risk Prevention Service backed by cybersecurity experts to provide unrivaled threat intelligence on the latest threat actor activity across the dark web, providing a rich understanding of threat actors’ motivations and TTPs. The service can detect evidence of attacks in progress allowing customers to rapidly respond to and shut down active threats.

Best Practices Include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Additionally, FortiRecon Digital Risk Protection (DRP) is a SaaS-based service that provides a view of what adversaries are seeing, doing, and planning to help you counter attacks at the reconnaissance phase and significantly reduce the risk, time, and cost of later-stage threat mitigation.

Source: Original Post


“An interesting youtube video that may be related to the article above”