While hackers typically stick to one platform, the developers behind Albabat ransomware clearly wanted more bang for their buck. First spotted in November 2023, this nasty piece of malware has evolved from targeting only Windows systems to a cross-platform nightmare. Thanks to being written in Rust, it now infects Windows, Linux, and macOS with equal enthusiasm. Lucky us.
Trend Micro researchers identified versions 2.0.0 and 2.5 in the wild, showing Albabat’s creators aren’t exactly taking time off. The ransomware encrypts files with popular extensions like .exe, .lnk, .dll, and .mp3, then slaps a charming “.abbt” extension on them. Victims get treated to a changed desktop wallpaper and a “README.html” file demanding payment. How thoughtful.
These cybercriminals are no dummies. They’re using a private GitHub repository under the alias “Bill Borguiann” to store configurations and components. Created in February 2024 and updated as recently as February 2025, the repository shows frequent commits. Apparently, GitHub makes a great accomplice.
Cybercriminals hiding in plain sight on GitHub—because nothing says professional malware development like regular code commits.
When Albabat infects a system, it’s not just encrypting files. It’s also gathering system information and exfiltrating data to a PostgreSQL database. This helps attackers track infections, monitor payments, and potentially sell victims’ data on the side. Double-dipping at its finest. Organizations facing this threat should implement tactical intelligence to better understand the technical details behind this evolving malware.
Victims are instructed to cough up 0.0015 BTC to a specific wallet and contact [email protected]. The newer 2.5 version added wallets for Ethereum, Solana, and BNB. The ransomware deliberately avoids encrypting certain system files like ntuser.dat and Thumbs.db to ensure the infected machine remains operational. No transactions in these new wallets yet, but clearly, they’re expecting business to boom. Albabat has a file size limit of 5 MB for encryption, focusing mostly on user directories while sparing operating system files.
Organizations can protect themselves with strong access controls, regular patches, proper backups, and multifactor authentication. Employee training helps too. But let’s be real – Albabat’s rapid evolution suggests its creators aren’t planning to slow down anytime soon. Cross-platform ransomware? That’s just what 2025 needed.
