A new type of ransomware called White Rabbit was spotted in the wild, which could be a side-project of the FIN8 hacking group.
FIN8 is a financial actor who has been targeting banks for several years. Usually, they deploy POS malware to steal credit card details. The first indication that the group deploys White Rabbit ransomware to steal sensitive information from customers came in a tweet by ransomware expert Michael Gillespie.
According to a new report, Trend Micro researchers presented an analysis of a sample of White Rabbit ransomware that was used against a US bank in December 2021.
The ransomware’s small payload, which only contains a 100 KB file, requires an attacker to enter a special code to successfully execute. This tactic has also been used by such ransomware operations as Egregor, MegaCortex, and SamSam. After the input of a unique password, the ransomware will perform a scan and encrypts all files on the system, creating ransom notes for each file it encrypts. For example, a file named test.txt would be encrypted as test.txt.scrypt. And a ransom note would be created as test.txt.scrypt.txt.
While it encrypts a device, the files on removable media are also encrypted, while Windows system folders are excluded.
The ransom note includes a warning that the victim’s files were exfiltrated and that they could be sold or published if the demands are not met. The deadline for the ransom payment is usually set to four days. If the victim does not pay the ransom, the hackers threaten to send the stolen data to the appropriate authorities.
The proof of files being stolen is then posted on various websites. The actors then invite the victims to a Tor website. The site contains proof of a data breach and features a section where the victims can discuss their situation and negotiate a ransom demand with the threat actors.
According to a report by the security firm, White Rabbit uses a never-before-seen variant of Badhatch and Badhatch had been previously used by FIN8.
The report by security firm Lodestone stated that White Rabbit uses PowerShell artifacts similar to activity from last summer associated with FIN8:
“Lodestone identified a number of TTPs suggesting that White Rabbit if operating independently of FIN8, has a close relationship with the more established threat group or is mimicking them,” the firm concluded.