Albabat Ransomware

Albabat is a specific type of malware categorized as ransomware due to its characteristic behavior. This threatening software operates by encrypting files on an infected system. As part of its encryption process, Albabat appends the '.abbt' extension to the original filenames, thereby altering the file format. Additionally, Albabat exhibits further visual impact on the infected system by modifying the desktop wallpaper. To communicate with the victim and make ransom demands, the malware generates a 'README.html' file, serving as a ransom note.

For instance, the renaming pattern applied by Albabat to encrypted files follows a consistent format. For instance, a file initially named '1.png' would be transformed into '1.png.abbt,' and similarly, '2.jpg' would become '2.jpg.abbt,' and so forth. This renaming convention is a distinctive hallmark of Albabat's file encryption process, and it serves as an identifier for the type of ransomware affecting the compromised files.

The Albabat Ransomware Can Lock a Wide Range of File Types to Demand a Ransom

Albabat's desktop wallpaper displays a message alerting the victim to the encryption of some of their files and guides them to seek further information in the 'README.html' file. This file is specifically located within the 'Albabat' folder, situated in the users' root directory on their computers.

For Windows users, the path is %USERPROFILE%\Albabat\readme\README.html, and Linux users are instructed to find it at $HOME/Albabat/readme/README.html. Within this file, a crucial detail is emphasized—the decryption of the encrypted files requires a private key held exclusively by the attacker. The victim is explicitly cautioned against any action that may result in the loss or alteration of the 'Albabat.ekey' key, including deletion or renaming.

The ransom note further provides contact information via email (albabat.help@protonmail.com), instructing victims to reach out only after completing the payment process. Specifics about the payment, such as a Bitcoin address and the designated amount (0.0015 BTC), are outlined.

It is highlighted that regaining access to the encrypted files is typically unattainable without the specific decryption tool possessed by the attackers. Nevertheless, a strong discouragement is expressed against paying ransom to attackers, as there is a high likelihood of victims falling victim to scams despite any promises made by the perpetrators.

Important Security Measures to Be Used Against Ransomware Infections

Protecting against ransomware infections requires a multi-layered approach involving various security measures. Here are six important measures to help safeguard against ransomware:

• Backup Your Data Regularly  : Regularly back up critical data to an offline or cloud-based storage solution. In the event of a ransomware infection, having updated backups ensures that data can be restored without paying the ransom. Automated backup systems with versioning capabilities are particularly effective.
•  Employee Training and Awareness: Conduct regular cybersecurity acknowledgment training for employees to educate them about the risks associated with phishing emails, unsafe links and suspicious attachments. Ensure that employees are cautious and vigilant when interacting with emails and other online content to prevent inadvertent malware infections.
•  Use of Security Software: Employ robust security software, including anti-malware solutions, to detect and block ransomware threats. Keep these security tools updated to ensure they can recognize and mitigate the latest strains of ransomware. Endpoint protection solutions can add an extra layer of defense.
•  Network Segmentation: Implement network segmentation to segregate critical systems and private data from the rest of the network. This limits the potential lateral movement of ransomware within the network, reducing the impact of an infection.
•  Patch and Update Systems: Regularly update operating systems, software and applications to patch known vulnerabilities. Ransomware often exploits security flaws in outdated systems. Automated patch management tools can help streamline this process and ensure that all systems are up-to-date.
•  Email Filtering and Filtering Attachments: Use email filtering solutions to block phishing emails and filter out unsafe attachments. Many ransomware attacks are initiated through phishing emails, and blocking such emails at the gateway can prevent the malware from reaching end-users.

In addition to these measures, it's crucial to have an incident response plan in place. This project should include steps for quickly identifying, isolating, and mitigating the impact of a ransomware attack. Methodical testing of the incident response plan through simulations or drills can help ensure its effectiveness when a real threat arises. Additionally, fostering a security-conscious culture within the organization is essential for maintaining an ongoing commitment to cybersecurity best practices.

The full text of the ransom note presented by the Albabat Ransomware is:

'Top | About | Payment | Contact | Decryption | FAQ | Translator
Albabat Ransomware
version: 0.3.0
87 files on your machine have been encrypted!
Your PERSONAL ID:

Copy

::> How important are your files to you?
Read this document for information on what happened and how to recover your files again.

[+] 1 - ABOUT "Albabat Ransomware" [+]
The "Albabat Ransomware" is a cross-platform ransomware that encrypts various files important to the USER on computer storage disks using symmetric encryption algorithm with military-grade identification.

The "Albabat Ransomware" will automatically create a folder called "Albabat" in your machine's user directory, but precisely in: "C:\Users**\Albabat\".

IT IS RECOMMENDED to make a BACKUP of the ENTIRE "C:\Users**\Albabat\" folder, as it contains important files for recovering your files, which will be explained later in this document about each of them.

This folder also contains these same note documents, in: "C:\Users**\Albabat\readme\README.html".

1.1 - THE KEY TO CRYPTOGRAPHY
Your files were encrypted with a KEY that was stored in the file "Albabat.ekey". Present in the "C:\Users**\Albabat\" directory. However, this KEY was also ENCRYPTED with a PUBLIC KEY (asymmetric encryption), which means that it requires a PRIVATE KEY to be decrypted, and only I (tH3_CyberXY) have the PRIVATE KEY to perform this decryption, so that you can use the KEY "Albabat.key" in recovering your files.

There is no way to decrypt your files without my data decryption service.

There is no way to decrypt the files without decrypting the "Albabat.ekey" key.

Don't delete, don't rename, don't lose the "Albabat.ekey" key.

1.2 - YOUR PERSONAL ID
Just like "Albabat.ekey", the PERSONAL ID is important in the process of decrypting your files, which will be used in the decryptor, which will be discussed later in the "DECRYPTION PROCESS" section.

This number maintains a unique identity in your machine's encryption process. In addition to being informed in this document, your PERSONAL ID will also be printed in the "personal_id.txt" file in "C:\Users**\Albabat\".

Do not lose your PERSONAL ID, just as you should NOT lose the "Albabat.ekey" key.

1.3 - THE ENCRYPTION PROCESS
Encrypted files have the extension ".abbt".

Don't try to rename it, it won't work. On the contrary, you may corrupt your files.

The size of the files that the "Albabat Ransomware" encrypts is a maximum of 5 Megabytes (MB).

The "Albabat Ransomware" randomly recursively traverses all directories it does not belong to the operation of the Operating System. Encrypts files in the user directory, even database locations and drives mounted on the machine if any.

The "Albabat Ransomware" only encrypts files that are relevant. The Operating System and binary files will be intact. We didn't choose that.

The "Albabat Ransomware" saves a log file named "Albabat_Logs.log" in the "C:\Users**\Albabat\" directory. This file you can see all files that were encrypted by "Albabat Ransomware" in path form.

[+] 2 - HOW TO CONTACT [+]
These are the only ways to get in touch to recover your files. Any other form found on the internet will be fake.

Contact methods:

Email:

albabat.help@protonmail.com

Copy

NOTE: Please contact ONLY if you have made payment. Any other type of contact other than this nature will be ignored.
[+] 3 - PAYMENT [+]
The decryption process is PAID in Bitcoin, so you need to have a Bitcoin balance on a cryptocurrency exchange or in a cryptocurrency wallet to make the deposit.

You may want to read the FAQ page to know what Bitcoin is.

Payment data:

Bitcoin address:

bc1qxsjjna67tccvf0e35e9z79d4utu3v9pg2rp7rj

Copy

Amount to pay:

0,0015 BTC

To make payment and restore your files, follow these steps -

(1) Write down the data to make the transfer via the Bitcoin address and the AMOUNT to pay specified above.

Note: Remembering that the price of Bitcoin may vary monetarily depending on when you make the payment.
(2) - Once you make the payment to the Bitcoin address above, send an email with a structure similar to this:

Subject: Albabat Ransomware - I did the payment!

Message: Hello, I made the payment. My BTC address where I made the payment is "xxx". The version of the "Albabat Ransomware" running on my machine was "0.3.0".

Follow the attached KEY "Albabat.ekey".

IMPORANT: Payment will be verifying using YOUR BTC ADDRESS ("xxx") in which the transaction was carried out, so it is IMPORTANT to inform when sending this email.

It is also IMPORTANT that you send the KEY "Albabat.ekey" as an attachment, regardless of the contact method you chose. The key will be decrypted for you.

You will receive in your email the KEY "Albabat.key", that is, the KEY "Albabat.ekey" decrypted, and the decryptor "decryptor.exe" attached (zipped).

Note: After payment, you will receive the KEY "Albabat.key" and "decryptor.exe" within 24 hours, but it may vary by more or less depending on my availability times and the amount of demands I receive. Be patient.
[+] 4 - DECRYPTION PROCESS [+]

To decrypt your files follow the steps below:

(1) Place the "Albabat.key" that you received by email, inside the "C:\Users**\Albabat\" directory, or, if you prefer, keep it in the same directory as "decryptor.exe".

IMPORTANT:At this point, it is very important that you close all open Explorer windows, and heavy programs, to prevent "decryptor.exe" from crashing and/or have poor performance.

And also disable your ANTIVIRUS PERMANENTLY so that it does not interfere with the decryption process.

(2) Run "decryptor.exe" and enter YOUR PERSONAL ID, then press ENTER. An alert message will appear informing you that the decryption started, just click Ok.

Note: If you are on Linux, open a terminal and run from the command line to see the process.

E.g: ./decryptor

(3) Wait for the decryption completion message to be displayed in console, this may take a while depending on the quantity of files that have been encrypted and power of your machine. You can see the decryption process by I live from your files, if I have time for that.

(4) After decryption is complete, all your files will be restored and the decryption log file "Albabat_Logs.log". will be created in the decryptor directory.

If you have further questions, such as: "How can I be sure my files can be decrypted?", you can read the FAQ page.

Copyright (c) 2021-2023 Albabat Ransomware - All Right Reserved. Maintained by: tH3_CyberXY.'

The ransom message shown as a desktop background is:

'Albabat RANSOMWARE

Several of your files have been encrypted!

To find out more details about what happened and rescue your files, read the "README.html" file in the "Albabat" folder located in the user root of your computer:

Windows: %USERPROFILE% \ Albabat \ readme \ README.html

Linux: $HOME / Albabat / readme / README.html'