Ransomware Roundup – Albabat | FortiGuard Labs

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This edition of the Ransomware Roundup covers the Albabat ransomware.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts victims’ files and demands ransom for file decryption
Severity level: High

Albabat Ransomware Overview

Albabat, also known as White Bat, is a financially motivated ransomware variant written in Rust that identifies and encrypts files important to the user and demands a ransom to release them. It first appeared in November 2023 with the variant Version 0.1.0. Version 0.3.0 was released in late December, followed by version 0.3.3 in mid-January 2024.

Infection Vector

The Albabat ransomware appears to be distributed as rogue software, such as a fake Windows 10 digital activation tool and a cheat program for the Counter-Strike 2 game.

Victimology

The Albabat ransomware samples were submitted to a publicly available file scanning service, and it appears to be primarily targeting companies and individuals in Argentina, Brazil, the Czech Republic, Germany, Hungary, Kazakhstan, Russia, and the United States. But because it is being distributed as fake software, the ransomware can affect anyone.

Attack Method

Once the Albabat ransomware is executed, it looks for files to encrypt. It avoids encrypting the following file types:

Additional file types listed below are excluded from encryption in versions 0.3.0 and 0.3.3:

Note that the file types highlighted in light green are excluded in version 0.3.0. The file types highlighted in light yellow are additional files excluded in version 0.3.3.

Files encrypted by the Albabat ransomware are given a “.abbt” file extension.

The ransomware also replaces the desktop wallpaper with its own.

The Albabat ransomware’s wallpaper claims it supports Windows and Linux platforms. However, we have not been able to locate Linux samples. Since the ransomware is written in the Rust language, which can be cross-compiled from one operating system to another, it’s possible that a Linux version will be released in the future.

Version 0.1.0 tries to terminate Chrome.exe. Starting with version 0.3.0, the ransomware also attempts to terminate the following additional processes:

Version 0.3.0 and later also stops the following services:

Starting with version 0.3.0, the ransomware may steal from or modify the following files:

Version 0.3.3 adds the following entries to the Windows Hosts file to block access to certain sites:

• 127[.]0[.]0[.]1 malware-guide[.]com
• 127[.]0[.]0[.]1 www[.]pcrisk[.]pt
• 127[.]0[.]0[.]1 www[.]pcrisk[.]com
• 127[.]0[.]0[.]1 adware[.]guru
• 127[.]0[.]0[.]1 www[.]cyclonis[.]com
• 127[.]0[.]0[.]1 jp[.]broadcom[.]com
• 127[.]0[.]0[.]1 www[.]broadcom[.]com
• 127[.]0[.]0[.]1 www[.]enigmasoftware[.]com
• 127[.]0[.]0[.]1 howtofix[.]guide
• 127[.]0[.]0[.]1 easysolvemalware[.]com
• 127[.]0[.]0[.]1 bbs[.]360[.]cn
• 127[.]0[.]0[.]1 pcsafetygeek[.]com
• 127[.]0[.]0[.]1 tria[.]ge

Once the encryption process is finished, the ransomware drops the following files:

Version 0.1.0

• %USERPROFILE%AlbabatAlbabat.ekey
• %USERPROFILE%AlbabatAlbabat.log
• %USERPROFILE%AlbabatREADME.html
• %USERPROFILE%Albabatwallpaper_albabat.jpg
• %USERPROFILE%Albabatwwwbanner.jpg
• %USERPROFILE%Albabatwwwfaq.html
• %USERPROFILE%Albabatwwwscript.js
• %USERPROFILE%Albabatwwwstyle.css

Version 0.3.0

• %USERPROFILE%AlbabatAlbabat.ekey
• %USERPROFILE%AlbabatAlbabat_Logs.log
• %USERPROFILE%Albabatpersonal_id.txt
• %USERPROFILE%Albabatwallpaper_albabat.jpg
• %USERPROFILE%AlbabatreadmeREADME.html
• %USERPROFILE%Albabatreadmeassetsstyle.css
• %USERPROFILE%Albabatreadmeassetsscript.js
• %USERPROFILE%Albabatreadmeassetsbanner.jpg
• %USERPROFILE%Albabatreadmepagesfaq.html

Version 0.3.3

• %USERPROFILE%AlbabatAlbabat.ekey
• %USERPROFILE%Albabatcredits.txt
• %USERPROFILE%AlbabatEncryption_DBG.log
• %USERPROFILE%Albabatpersonal_id.txt
• %USERPROFILE%Albabatwallpaper_albabat.jpg
• %USERPROFILE%AlbabatreadmeREADME.html
• %USERPROFILE%Albabatassetsbanner.jpg
• %USERPROFILE%Albabatassetsscript.js
• %USERPROFILE%Albabatassetsstyle.css
• %USERPROFILE%Albabatpagesfaq.html

The README.html file is a ransom note instructing victims to email the attacker. It demands 0.0015 Bitcoin (approximately $64 US) for file decryption. The ransom notes dropped by versions 0.1.0, 0.3.0, and 0.3.3 are significantly different except for the format.

The ransom note has a translation option that uses the Google Translate service, allowing it to be translated into over 100 languages. When the translation option is selected, Portuguese is automatically selected as the translation language, which may indicate that this is the primary language of the ransomware developer.

Files larger than 5MB were not encrypted in our test environments, as per the ransom note.

The FAQ option opens FAQ.html, which does not differ much between variants except for item 10, which was added in version 0.3.0.

The attacker’s Bitcoin wallet had no transactions at the time of our investigation.

Data Leak Site

Although one of the Albabat ransomware samples instructs victims to visit a TOR site, the site was no longer accessible at the time of our investigation. Since there is no mention of data exfiltration in the ransom notes, it is likely that the TOR site was only used for ransom negotiations.

Fortinet Protections

Fortinet customers are already protected from this malware variant through our AntiVirus and FortiEDR services, as follows:

FortiGuard Labs detects the Albabat ransomware samples with the following AV signatures:

• W32/PossibleThreat

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.

IOCs

Albabat Ransomware File IOCs

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE Fortinet Certified Fundamentals (FCF) in Cybersecurity training. The training is designed to help end users learn about today’s threat landscape and will introduce basic cybersecurity concepts and technology.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry’s leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

FortiRecon is a SaaS based Digital Risk Prevention Service backed by cybersecurity experts to provide unrivaled threat intelligence on the latest threat actor activity across the dark web, providing a rich understanding of threat actors’ motivations and TTPs. The service can detect evidence of attacks in progress allowing customers to rapidly respond to and shut down active threats.

Best Practices Include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Additionally, FortiRecon Digital Risk Protection (DRP) is a SaaS-based service that provides a view of what adversaries are seeing, doing, and planning to help you counter attacks at the reconnaissance phase and significantly reduce the risk, time, and cost of later-stage threat mitigation.