Recent findings by security researchers suggest new White Rabbit ransomware is linked to FIN8 Hacking Group. FIN8 Hacking Group is a financially motivated actor which targets financial organizations by deploying POS malware that can steal credit card details.
Micheal Gillespie, a ransomware expert was the first to tweet about White Rabbit ransomware seeking a sample of the malware.
🔒 #Ransomware Hunt: “White Rabbit” with extension “.scrypt”, drops note for each encrypted file with “<filename>.scrypt.txt” with victim-specific information: https://t.co/ZjVay8A3Ch
“Follow the White Rabbit…” 🐰🤔 pic.twitter.com/lhzHi5t1KK
— Michael Gillespie (@demonslay335) December 14, 2021
White Rabbit Ransomware executable is a small payload of a 100 KB file and requires a password to be entered on command line execution to decrypt the malicious payload. This password has been used previously by other ransomware operations such as Egregor, MegaCortex, and SamSam.
The ransomware will scan all folders on the device once executed with the correct password and encrypt targeted files. This leads to the creation of ransom notes for each file it encrypts.
For example, a file named test.txt will be encrypted as test.txt.scrypt, and a ransom note would be created named test.txt.scrypt.txt.It also targets removable and network drivers while encrypting a device with Windows system folders excluded from encryption to prevent rendering the operating system unusable. The victims are informed via the ransom note about the files that have been exfiltrated and threaten to publish and/or sell the stolen data if the demands are not met.
The victim has a set deadline of four days to pay a ransom, after which the bad actors threaten to send the stolen data to data protection authorities, leading to data breach GDPR penalties.
The evidence of the stolen files is uploaded to services such as ‘paste[.]com’ and ‘file[.]io,’. The victim on the other hand is offered a live chat communication channel with the actors on a Tor negotiation site.
On the negotiation site, which includes a ‘Main page,’ which displays proof of stolen data. There is also a Chat section where the victim can communicate with the threat actors and negotiate a ransom demand, as shown below.
FIN8 is linked with White Rabbit
According to Trend Micro’s report, its findings in the ransomware’s deployment stage suggest FIN8 is linked with ‘White Rabbit’. The ransomware uses a unique version of Badhatch (aka “Sardonic“), a backdoor associated with FIN8.
FIN8 keeps the custom backdoors to themselves and continues to develop them privately. Further, it is revealed the ransomware family undertaken by Lodestone researchers. The researchers discovered Badhatch in ‘White Rabbit’ attacks, and also noticed PowerShell artifacts similar to FIN8-associated activity from last summer.
According to the Lodestone report, “Lodestone identified a number of TTPs suggesting that White Rabbit if operating independently of FIN8, has a close relationship with the more established threat group or is mimicking them.”
Currently, the White Rabbit ransomware only targets a few entities but is capable of turning itself into a severe menace to companies in the future.
How to keep yourself protected from White Rabbit Ransomware?
- Deploy cross-layered detection and response solutions.
- Create an incident response playbook for attack prevention and recovery.
- Conduct ransomware attack simulations to identify gaps and evaluate performance.
- Perform backups, test backups, verify backups, and keep offline backups.
Frontier Systems – Payroll Software provider Issued a Breach Notice over a Ransomware Attack
UniCC – Dark Web’s Largest Marketplace for Stolen Credit Cards Will Close Shop
REvil ransomware gang taken down by Russian Authorities