White Rabbit Ransomware Connected to FIN8 Threat Group Known for Targeting Financial Companies with Point-Of-Sale Malware
Research indicates White Rabbit could be a side-operation of FIN8, a financially motivated threat group that targets financial companies and deploys point-of-sale (POS) malware to steal credits card details. The ransomware scans all folders on the device and encrypts targeted files once the payload is executed with the correct password then creates a ransom note for each encrypted file. A file called test.txt can be encrypted as test.txt.scrypt, which creates a ransom note called test.txt.scrypt.txt. Removable and network drives are also targeted. A ransom note notifies victims that their files have been exfiltrated and will be published and/or sold if victims don’t pay the ransom demands. Victims have four days to pay the ransom before the threat actors threaten to send the stolen data to data protection authorities, which can result in data breach GDPR (General Data Protection Regulation) penalties. While victims are offered a live chat communication channel with the threat actors on a Tor negotiation site, the stolen files’ evidence is uploaded to services like “paste[.]com” and “file[.]” to display proof of stolen data.
Microsoft Issues Reports of Fake Ransomware Initiating Data-Wiping Attacks to Target Ukraine
Microsoft issued a warning detailing attacks on multiple Ukraine-based organizations using destructive data-wiping malware disguised as fake ransomware. The technology company discovered new attacks combining a destructive MBRLocker with data-corrupting malware to intentionally destroy victim data. The new malware family called “WhisperGate” conducts a two-stage attack through two different destructive malware components. The first component called stage1.exe is launched from the C:\PerfLogs, C:\ProgramData, C:\, or C:\temp folders that overwrite the Master Boot Record to display a ransom note. The MBRLocker program replaces the “master boot record” located on the computer’s hard drive containing information on disk partitions and a small executable used to load the operating system. MBRLocker replaces the loader in the master boot record with a program to encrypt the partition table and display a ransom note. The program prevents operating systems from loading and data from being accessed until the victim has paid the ransom and a decryption key is obtained. Ukraine connects the attacks to Russia with the intention to undermine the Ukrainian government’s confidence.
Diavol Ransomware Linked by FBI To TrickBot, Malware Developers Responsible for TrickBot Banking Trojan
The FBI announced it had officially linked the Diavol and TrickBot ransomware operations. The TrickBot threat group is known for its development of the TrickBot banking trojan, which has been seen in a plethora of Conti and Ryuk ransomware attacks, fraudulent activity targeting financial institutions, and espionage against businesses. Ransomware samples taken from a June 2021 attack indicated that both Diavol and Conti payloads were used in the same incident; the similarities of note were the similar command-line instructions and file encryption operations. It is probable that the FBI was able to make the formal link between the groups after arresting a Latvian citizen who was part of the team behind the development of the ransomware for TrickBot.
Data Stolen from Italian Fashion Giant Moncler Leaked as Part Of BlackCat Ransomware Attack
Moncler, an Italian luxury fashion giant, had files stolen and published on the dark web following a data breach by the BlackCat (AlphV) ransomware group. Moncler issued a statement confirming that data from employees, former employees, suppliers, consultants, business partners, and customers were leaked by the BlackCat (AlphV) ransomware group. Moncler rejected the possibility of paying the ransom demand because it goes against its founding principles, which led to having their stolen data published. The data was published on the BlackCat’s (AlphV) data leak website after a demand of $3 million to not distribute the data was refused. The BlackCat (AlphV) ransomware group launched its operations as Ransomware-as-a-Service (RaaS) in December 2022.
World’s Largest Commercial Printer, R. R. Donnelley, Confirms Data Theft By Conti Ransomware
Printing giant R.R. Donnelley confirmed that the company suffered a Conti ransomware attack that resulted in a trove of exfiltrated data. As a result of the network intrusion, R.R. Donnelley was forced to shut down their network and halt some business-critical operations, including fulfilling customer orders and disburse payments. Conti ransomware operators initially began leaking some of the stolen data, but soon reversed that process amid ransom negotiation. It appears that the attack was planned to coincide with R.R. Donnelley’s recent merger activities. Weeks before this ransomware attack, the FBI issued a warning to organizations considering mergers and acquisitions of just this type of activity. The full scale and nature of the attack is still under investigation.
Companies should remain vigilant on the current threat landscape and take the necessary security measures to prevent potential ransomware threats like White Rabbit, Conti, BlackCat, and other ransomware threats from stealing data. At SpearTip, our advisory services identify the risks that matter in real-world cyberattacks and provide companies with first-hand knowledge and expertise of vulnerabilities being leveraged by threat actors to exploit environments. Our ShadowSpear Platform is an unparalleled resource working tandem with our certified engineers with the capability to identify threats, neutralize malware, and counter adversaries 24/7 at our Security Operations Centers. These ransomware attacks demonstrate the importance of maintaining a mature security posture and ensuring all business-critical data is stored on backup servers disconnected from a company’s primary networks.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.
