Researchers have uncovered new and evolving versions of the Albabat ransomware, which now target Windows, Linux, and macOS systems. These updated variants (v2.0.0 and v2.5) show a notable expansion from the ransomware’s initial Windows-only focus and use GitHub for storing and delivering configuration data. By retrieving settings via GitHub’s REST API under a “User-Agent” string labeled “Awesome App,” Albabat can dynamically manage its operations and adapt its behavior. These versions encrypt a wide range of file extensions while excluding specific directories and system-critical files. They also terminate various processes, likely to disable user defenses and ensure successful encryption. Additionally, Albabat collects system and user information, which it uploads to a PostgreSQL database hosted on Supabase, enabling tracking of infections and ransom payments.
The ransomware’s operators maintain a private GitHub repository associated with the alias "Bill Borguiann" to host critical configuration files, with development logs pointing to an ongoing and structured coding effort. A notable addition in version 2.5 is the inclusion of cryptocurrency wallet addresses for Bitcoin, Ethereum, Solana, and BNB, though no transactions have been observed yet.