Threat Research

Ransomware Roundup – Albabat | FortiGuard Labs

Fortinet

Albabat is a Rust-written ransomware family that spreads via rogue downloads (fake Windows activators and game cheats), encrypts user files with a .abbt extension, and drops ransom notes while attempting to stop key processes and services. FortiGuard Labs documents version differences (0.1.0 → 0.3.0 → 0.3.3), file-type exclusions, dropped artifacts, hosts-file modifications, and provides AV detection guidance. #Albabat #FortiGuardLabs

Keypoints

  • Albabat (aka White Bat) is a Rust-based ransomware that first appeared November 2023 and evolved through versions 0.1.0, 0.3.0, and 0.3.3.
  • Primary distribution observed as rogue software downloads (fake Windows 10 activator and Counter-Strike 2 cheat).
  • On execution it encrypts files (appends .abbt), excludes many system/developer/media file types, and in later versions adds additional exclusions.
  • From v0.3.0 the ransomware attempts to terminate common user, developer, and database processes (e.g., chrome.exe, excel.exe, postgres.exe) and stops database services (MySQL57/80/82, postgresql-x64-14/15).
  • Version 0.3.3 modifies the Windows hosts file to block access to a list of security/recovery sites and drops multiple ransom and support files under %USERPROFILE%Albabat (ekey, logs, README.html, wallpaper, scripts).
  • Dropped ransom notes instruct victims to email the attacker and request ~0.0015 BTC; FAQ/translation features are included in the ransom page.
  • FortiGuard Labs detects samples (AV signature W32/PossibleThreat) and recommends keeping AV/IPS updated and using EDR/backup/segmentation controls.

MITRE Techniques

  • [T1204] User Execution – Albabat is “distributed as rogue software, such as a fake Windows 10 digital activation tool and a cheat program for the Counter-Strike 2 game.”
  • [T1486] Data Encrypted for Impact – The report states the malware “Encrypts victims’ files and demands ransom for file decryption” and appends the “.abbt” extension to encrypted files.
  • [T1490] Inhibit System Recovery – The ransomware stops database services and other services as described: “Version 0.3.0 and later also stops the following services:” (MySQL57, MySQL80, MySQL82, postgresql-x64-14, postgresql-x64-15).

Indicators of Compromise

  • [SHA256] Ransomware sample hashes – e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9, ce5c3ec17ce277b50771d0604f562fd491582a5a8b05bb35089fe466c67eef54, and 3 more hashes.
  • [Domains / Hosts entries] Domains added to Windows hosts by v0.3.3 – malware-guide[.]com, www[.]pcrisk[.]com, and 11 more blocked entries.
  • [File names / paths] Dropped ransom and artifact files (per version) – %USERPROFILE%AlbabatAlbabat.ekey, %USERPROFILE%AlbabatREADME.html, and other readme/assets/log files.
  • [File extension] Encrypted file extension – .abbt (files encrypted by Albabat are given a “.abbt” extension).
  • [Processes & Services targeted] Processes/services targeted for termination or stopping – chrome.exe, excel.exe, postgres.exe; MySQL57/MySQL80/MySQL82/postgresql-x64-14 (service examples).

Albabat executes from user-initiated rogue downloads (fake Windows activation tools and game cheats). On launch it enumerates files for encryption while skipping long lists of system, development, and media extensions (additional exclusions added in v0.3.0 and v0.3.3). Encrypted files receive the .abbt extension; the ransomware also replaces the desktop wallpaper and drops a set of artifacts under %USERPROFILE%Albabat (including Albabat.ekey, logs, personal_id.txt/credits.txt, README.html, wallpaper_albabat.jpg, and various readme assets), with variant-specific filenames across 0.1.0, 0.3.0, and 0.3.3.

To maximize impact and hinder recovery, Albabat terminates selected processes (initially chrome.exe; from v0.3.0 also taskmgr.exe, code.exe, excel.exe, powerpnt.exe, winword.exe, msaccess.exe, mspub.exe, steam.exe, onedrive.exe, postgres.exe, mysqlworkbench.exe, outlook.exe, windowsterminal.exe, sublime_text.exe, and cs2.exe) and stops database services (MySQL57/80/82 and postgresql-x64-14/15). Version 0.3.3 further modifies the Windows hosts file to block many security and vendor sites (e.g., malware-guide[.]com, www[.]pcrisk[.]com) and may read/modify application data such as Electrum wallets, JetBrains settings, and OneDrive local data.

Behavioral artifacts and IOCs tied to observed samples include the listed SHA256 hashes, the .abbt extension on encrypted files, the presence of %USERPROFILE%Albabat dropped files (ekey, README.html, logs, wallpaper), and the hosts-file entries introduced by v0.3.3. Ransom notes instruct victims to contact the attacker (0.0015 BTC requested) and include a translation option; the actor did not show confirmed data-exfiltration in the analyzed samples. Read more: https://feeds.fortinet.com/~/866013446/0/fortinet/blog/threat-research~Ransomware-Roundup-Albabat

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint