White Rabbit Ransomware appeared in the cybersecurity wild, and a recent suggests the strain may be a side-project of the FIN8 hacking group.
FIN8 is a financially motivated actor who has been spotted targeting financial organizations for several years, primarily by deploying POS malware that can steal credit card details.
White Rabbit Ransomware was first reported on by ransomware expert Michael Gillespie on Twitter.
Trend Micro investigated a sample of White Rabbit Ransomware which was discovered after an attack on a US bank in December 2021.
The White Rabbit Ransomware payload is tiny compared its peers at just 100KB. It requires a password to be entered on the command line for decryption.
Password-protected payloads have been previously seen by other strains, such as Egregor, MegaCortex, and SamSam.
When the correct password is entered, White Rabbit Ransomware will scan all folders on the device and encrypt targeted files, creating ransom notes for each file it encrypts.
While encrypting a device, removable and network drives are also targeted, with Windows system folders excluded from encryption to prevent rendering the operating system unusable.
The ransom note informs the victim that their files had been exfiltrated and threatens to publish and/or sell the stolen data if the demands are not met.
The deadline for the victim to pay a ransom is set to four days, after which the actors threaten to send the stolen data to data protection authorities, leading to data breach GDPR penalties.
The evidence of the stolen files is uploaded to services such as ‘paste[.]com’ and ‘file[.]io,’ while the victim is offered a live chat communication channel with the actors on a Tor negotiation site.
The Tor site includes a ‘Main page,’ used to display proof of stolen data, and a Chat section where the victim can communicate with the threat actors and negotiate a ransom demand.
As noted in the Trend Micro report, evidence that connects FIN8 and ‘White Rabbit’ is found in the ransomware’s deployment stage.
The connection between White Rabbit Ransomware and FIN8 has also been confirmed by researchers at Lodestone.
“Lodestone identified a number of TTPs suggesting that White Rabbit, if operating independently of FIN8, has a close relationship with the more established threat group or is mimicking them.”
For now, White Rabbit has limited itself to only targeting a few entities but is considered an emerging threat that could turn into a severe menace to companies in the future.
Protection Against White Rabbit Ransomware
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.