Chris Swagler | January 20th, 2022

White Rabbit Ransomware

White Rabbit, a new ransomware family, was discovered in the wild. Research findings indicate White Rabbit could be a side-operation of FIN8, a financially motivated threat group that targets financial companies and deploys point-of-sale (POS) malware to steal credits card details.

A ransomware expert publicly mentioned the ransomware in a tweet, seeking a sample of the malware. According to researchers, a sample of the White Rabbit ransomware was obtained during an attack on a US Bank in 2021. The sample reveals that the ransomware executable is a small payload, a 100 KB file, and a password is required on the command line execution to decrypt the malicious payload. Other ransomware groups, including Egregor, MegaCortex, and SamSam previously used the password to execute the malicious payload. The ransomware will scan all folders on the device and encrypt targeted files once the payload is executed with the correct password then create a ransom note for each encrypted file. A file called test.txt can be encrypted as test.txt.scrypt, and the group will create a ransom note called test.txt.scrypt.txt.

Removable and network drives are also targeted while the ransomware is encrypting a device, with Windows system folders excluded from the encryption process to prevent rendering the operating system unusable. A ransom note notifies victims that their files have been exfiltrated and will be published and/or sold if victims don’t pay the ransom demands. Victims have four days to pay the ransom before the threat actors threaten to send the stolen data to data protection authorities, which can result in data breach GDPR (General Data Protection Regulation) penalties. While victims are offered a live chat communication channel with the threat actors on a Tor negotiation site, the stolen files’ evidence is uploaded to services like “paste[.]com” and “file[.]” to display proof of stolen data.

According to a report, evidence was discovered in the ransomware’s deployment stage connecting the “White Rabbit” ransomware to the FIN8 hacking group. The ransomware implements a never-before-seen variant of Badhatch (aka “Sardonic”), a FIN8-associated backdoor. Usually, threat actors keep their custom and privately developed backdoors to themselves. According to researchers, a different report confirmed the findings of Badhatch in “White Rabbit” attacks and noticed PowerShell artifacts to FIN8-associated activity. The researchers identified numerous TTPs suggesting that White Rabbit, if it’s a FIN8 independent operation, is working closely with or imitating more established threat groups.

Even though White Rabbit is targeting only a few companies, it’s considered an emerging ransomware threat that could become a dangerous menace to companies in the future. Companies can contain the threat by deploying cross-layered detection and response solutions, creating an incident response playbook for attack prevention and recovery, and conducting ransomware attack simulations to identify gaps and evaluate performance. Furthermore, companies should keep all data backed up offline and frequently test the performance of their backup procedures.

Companies should remain vigilant on the current threat landscape and take the necessary security measures to prevent potential ransomware threats like White Rabbit from stealing data. At SpearTip, our advisory services identify the risks that matter in real-world cyberattacks and provide companies with first-hand knowledge and expertise of vulnerabilities being leveraged by threat actors to exploit environments. Our ShadowSpear Platform is an unparalleled resource working tandem with our certified engineers with the capability to identify threats, neutralize malware, and counter adversaries 24/7 at our Security Operations Centers.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.