Albabat Ransomware Group Potentially Expands Targets to Multiple OS, Uses GitHub to Streamline Operations

By decoding it, we can better understand the configuration of the ransomware.

The Albabat version ignores the following folders: Searches, AppData, $RECYCLE.BIN, System Volume Information, windows.old, steamapps, perflogs, ansel, tmp, node_modules, cache, vendor, target, Mozilla, venv, env, Chrome, google-chrome, pypoetry, vimfiles, viminfo, site-packages, scoop, go, and temp. 

This version also encrypts the following extensions: ~$, .src, .ico, .cur, .theme, .themepack, .bat, .com, .cmd, .cpl, .prf, .icls, .idx, .mod, .pyd, .vhdx, ._pth, .hta, .mp3, .CHK, .pickle, .pif, .url, .ogg, .tmp, .dat, .exe, .lnk, .win, .vscdb, .bin, .cab, .inf, .lib, .tcl, .cat, .so, .msi, .vpk, .vc, .cur, .ini, .bik, .sfx, .xnb, .ttf, .otf, .woff, .woff2, .vfont, .resource, .N2PK, .log, .pkg, .desktop, .dll, .pkr, .arc, .sig, .bk2, .arz, .swf, .qt, .wma, .mp2, .vdf, .pdb, .nfo, .whl, .mui, .srm, .smc, .dic, .lock, .pyc, .TAG, .locale, .store, .sdi, .library-ms, .acf, .po, and .mo. 

It also skips the following files: ntuser.dat, ntuser.ini, iconcache.db, Thumbs.db, and .DS_Store. 

In addition, it kills the following processes: taskmgr.exe, processhacker.exe, regedit.exe, code.exe, excel.exe, powerpnt.exe, winword.exe, msaccess.exe, mspub.exe, msedge.exe, virtualboxvm.exe, virtualbox.exe, chrome.exe, cs2.exe, steam.exe, postgres.exe, mysqlworkbench.exe, outlook.exe, mysqld.exe, windowsterminal.exe, powershell.exe, cmd.exe, sublime_text.exe, microsoft.photos.exe, and photosapp.exe.

The configuration details show where the ransomware stores data collected from the victim’s machine. It connects to a PostgreSQL database at the following address:

postgres://postgres.<username>:<password>@aws-0-us-west-1.pooler.supabase[.]com:5432/postgres

Read More HERE