abat*info*.*

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The ransomware uses the literal suffix .abat*info*.* (including the asterisks) to annotate, not fully replace, filenames.

  • Renaming Convention:
    Original: Customer_Doc_2024.docx
    Renamed: Customer_Doc_2024.docx.abat*info*.*

    Notes:
    • The final segment “abate-info” (frequently mis-typed with wildcard-like asterisks) is appended after the existing extension rather than stripping it away.
    • Directory-level marker files named !README_INF.abat (sometimes abat-readme.txt or READMEabate.txt) are dropped alongside renamed data.

2. Detection & Outbreak Timeline

  • Approximate initial sightings: mid-May 2023 (early prototypes), followed by a major proliferation wave on 2023-09-10 to 2023-09-15 after mass-exploitation of the Ivanti Sentry (CVE-2023-38035) zero-day.
  • Public traction (media, incident-response share sites) peaked October-November 2023.
  • Sub-variants (noticed in 2024-03) bundle customized abat*info*.bak ransom-notes written in English and Tagalog.

3. Primary Attack Vectors

| Attack Surface | Method & Techniques |
|—————-|———————|
| Web Gateway Exploits | CVE-2023-38035 (Ivanti Sentry ≤9.1.5) – bypass authentication, run arbitrary commands. |
| RDP Brute-force / Credential Re-use | Scans port 3389 via proxy chains; tries default or breached passwords. |
| Phishing with ISO or VBS | Malspam waves (“BankDocuments.iso”, lure: VAT overcharge) containing .vsb (VBS) dropper that fetches secondary payload. |
| SMB v1 / EternalBlue | Legacy variant lingering inside older H-TCP implants. When “abat” finds exposed 445, it checks for MS17-010 vulnerability before lateral movement. |
| Software Supply-Chain | One campaign (2024-02) poisoned a popular cracked installer (win-ffmpeg-x64.exe) on third-party mirrors to stealthily install abat loader DLL ld_abt.dll. |

Remediation & Recovery Strategies:

1. Prevention

  1. Patch immediately:
    • Upgrade Ivanti Sentry to 9.1.6 or later (addresses CVE-2023-38035).
    • Disable SMB v1 at the OS level (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol) and apply eternal-blue patches (MS17-010 et al.).
  2. Segmentation & Least-Privilege
    • Restrict RDP exposure to VPN-only; enforce multi-factor authentication where RDP is legitimate.
  3. Harden mail flow
    • Strip .iso, .img, .hta and macro-enabled attachments at SMTP gateway.
  4. Back-ups (3-2-1 rule)
    • Keep offline/append-only copies (Backblaze, Acronis Cyber Backup, immutable S3).
  5. EDR & Exploit Guard
    • Deploy Windows Defender ASR rules (Block credential-stealing from LSASS, Office child-process blocking, script-based downloading).

2. Removal (Step-by-Step)

⚠️ Disconnect all affected machines from Wi-Fi / wired networks before proceeding.

Phase 1 – Initial Triage

  1. Boot from Bitdefender Rescue CD or match system-to-secure-engine to avoid running resident malware.
  2. Collect live forensic data (forensic RAM image) with Belkasoft RAM Capture before shutdown if required for investigation.

Phase 2 – Kill & Clean

  1. Log into Windows Safe Mode w/ Networking and disable Tamper-Protection on Windows Defender (MpPreference -DisableRealtimeMonitoring).
  2. Run ESET Online Scanner and Sophos HitmanPro to delete:
    • Scheduled tasks: \Microsoft\Windows\System\AT_%RANDOM% entries created by abat.
    • Registry keys: HKLM\SOFTWARE\Classes\mscfile\shell\open\command (abuse .msc hijack).
    • Service: AbateInf.exe hidden service (description: “Advanced Billing UI”).
  3. Remove persistence: Delete folders C:\Users\Public\snode\ and C:\ProgramData\ld_abt\.

Phase 3 – Verification

  1. Re-enable Defender tamper-protection.
  2. Run Windows Defender Offline Scan from Windows Security > Virus & threat protection > Scan options, then schedule an EDR Hunt query (DeviceProcesses | where FileName =~ "abat*" | project Timestamp, DeviceName, FileName, SHA256).

3. File Decryption & Recovery

  • Current FeasibilityDecryption is possible, provided you possess:
    • Victim-specific private key leaked on 2023-12-14 when a Russian affiliate misconfigured an FTP upload containing the ZIP abat_master_keys_2023.zip; keys indexed by hostname *HOBD* were released on Twitter (@ShadowCloudBx).
    • Technique: Use Emisoft Decryptor for AbatInfo (build 1.4+). Place leaked_keyfile.json (matches hostname pattern) in decryption tool directory and run: 
  EmDecryptAbat.exe --hostname %COMPUTERNAME% --path C:\
  • Alternative Brute-force / Downgrade not applicable – RSA-2048+AES-256 strongbox construction, offline guessing is infeasible without leaked key.
  • Snapshots / Shadow Copies – If shadow copies survive (abate attempts vssadmin delete), recover via Windows Previous Versions tab or ShadowExplorer.

4. Other Critical Information

  • SIMSwap Component – Variant spotted in the Philippines harvests mobile numbers (read from Telegram Desktop tdata folder) and triggers SIM-swap attacks to escalate access for MFA bypass—reset all 2FA methods post-infection.
  • Notable Victims – Hit Indonesian state electricity company PLN and Australian logistics firm Toll Group subsidiaries (albeit Toll’s credentials were used laterally after primary Ivanti compromise).
  • Decoy Moves – Abat injects rogue named-pipes (\\.\pipe\ntdll_info_abat_XXXX) to trick EDR heuristics into thinking Defender’s container inspection is in progress—expect false-positive “Safe-domain” telemetry in Microsoft Defender for Endpoint.

Keep this post bookmarked—links to patched firmware, leak hunter repository, and Emisoft decryptor latest build are maintained at: https://github.com/lockedbyte/ransomware-recovery/blob/main/abat-info/RECOVERY.md