Is White Rabbit ransomware linked to FIN8 financially motivated group?

A new ransomware gang named White Rabbit appeared in the threat landscape, experts believe it is linked to the FIN8 hacking group.

A new ransomware gang called ‘White Rabbit’ launched its operations and according to the experts, it is likely linked to the FIN8 financially motivated group.

In December the popular malware researcher Michael Gillespie, first mentioned the group and called to action the experts to hunt the new threat.

The first public analysis of the White Rabbit ransomware was published by Trend Micro, following an investigation into an attack on a US bank that took place in December 2021.

“One of the most notable aspects of White Rabbit’s attack is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine. This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis.” reads the analysis published by Trend Micro.

The ransomware required a password to execute the malicious payload, a technique that was used previously by other malware, including the Egregor ransomware.

The White Rabbit’s payload is a small file of around 100 KB with no notable strings and seemingly no activity. The ransomware drops a note for each file it encrypts, each note bears the name of the encrypted file and is appended with “.scrypt.txt.” 

The ransomware targets files in fixed, removable, and network drives, as well as resources, it skips some paths and directories to avoid crashing the system and destroying its own notes.

The researchers also gathered evidence of the use of Cobalt Strike commands to drop the malicious payload into the affected system.

The link between the White Rabbit ransomware operation with FIN8 operations is based on the use of the same malicious URL and a never-before-seen version of Badhatch which is a FIN8 backdoor used by the group to infect PoS systems and steal payment card data. 

The White Rabbit ransomware operators use double extortion and threaten victims to release their stolen data if they don’t pay the ransom.

“Currently, we are still determining if FIN8 and White Rabbit are indeed related or if they share the same creator. Given that FIN8 is known mostly for its infiltration and reconnaissance tools, the connection could be an indication of how the group is expanding its arsenal to include ransomware. So far, White Rabbit’s targets have been few, which could mean that they are still testing the waters or warming up for a large-scale attack.” concludes the analysis. “White Rabbit is thus likely still in its development phase, considering its uncomplicated ransomware routine. Despite being in this early stage, however, it is important to highlight that it bears the troublesome characteristics of modern ransomware: It is, after all, highly targeted and uses double extortion methods. As such, it is worth monitoring.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, White Rabbit ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]