A More Advanced Threat

Cybercriminals have upgraded Albabat ransomware, making it a more powerful and adaptable cyber threat. Trend Micro researchers recently discovered that Albabat 2.0 now expands beyond Windows to target Linux and macOS as well. This marks a shift toward cross-platform ransomware attacks, increasing the risk for a wider range of users.

In addition, researchers identified an upcoming version (2.5) in development. This future variant could introduce even more advanced capabilities for cybercriminals, making it crucial for organizations to stay vigilant.

How Albabat 2.0 Works

Unlike earlier versions, Albabat 2.0 incorporates several advanced techniques to maximize its impact. It uses a GitHub repository to store and deliver configuration files, allowing attackers to streamline their operations efficiently.

Some key attack mechanisms include:
✅ Targeted File Encryption – Encrypts specific files such as .bat, .com, .cmd, and .cpl.
✅ Process Termination – Disables security tools like Task Manager, Process Hacker, Regedit, Excel, and Word to avoid detection.
✅ System Reconnaissance – Collects system and hardware details from Linux, macOS, and Windows for better attack execution.
✅ PostgreSQL Database Integration – Connects to a remote database to track infections, ransom payments, and stolen data.

GitHub as a Cybercrime Tool

Another alarming discovery is the ransomware’s use of GitHub for configuration storage. The repository, associated with an account named “Bill Borguiann”, has been active since February 27, 2024. Even though it remains private, attackers can still access it through an authentication token, making it a crucial part of their infrastructure.

The latest commit on February 22, 2025, indicates continuous updates. This suggests that cybercriminals are actively refining the malware, making it more sophisticated over time.

Albabat 2.5: A More Dangerous Variant?

Further investigation revealed that Albabat ransomware 2.5 is currently under development. Researchers discovered a new GitHub folder labeled 2.5.x, which contains a config.json file. Notably, this configuration includes updated cryptocurrency wallets for Bitcoin, Ethereum, Solana, and BNB.

Although no ransom transactions have been detected yet, these updates suggest that attackers are preparing new payment methods for future campaigns.

Conclusion: Strengthening Cyber Defenses

With its multi-OS targeting capabilities and GitHub-based distribution, Albabat ransomware is evolving into a more sophisticated and dangerous threat. Since cybercriminals are constantly refining their tools, organizations must enhance their security defenses, adopt robust backup strategies, and stay informed about emerging ransomware trends.

Click here for more articles…………