Discovered new ransomware called White Rabbit, related to the notorious FIN8 hacker group

A new family of ransomware called White Rabbit has just been discovered by researchers. According to research results, it is possible that this ransomware is a side activity of the notorious FIN8 hacker group.

FIN8 is a group that specializes in hacking for money and usually targets financial institutions. Over the past few years, FIN8's main attack method has been to deploy malicious POS software to steal credit card information.

Discovered new ransomware called White Rabbit, related to the notorious FIN8 hacker group Picture 1 Discovered new ransomware called White Rabbit, related to the notorious FIN8 hacker group Picture 1

In December 2021, TrendMicro researchers obtained a sample of the White Rabbit ransomware when it attacked a bank in the US. The ransomware executable is a small payload, about 100KB in size, and requires a new password to be entered to decrypt the payload.

The password used to execute the malicious payload has been used in previous ransomware campaigns such as Egregor, MegaCortex, and SamSam.

After entering the correct password, the ransomware executes, which scans all folders on the device and encrypts the files it targets, creating a ransom note for each file it encrypts.

Example: A file named test.txt will be encrypted as test.txt.scrypt and a ransom note will be created with the name test.txt.scrypt.txt.

When encrypting a device, removable hard drives and network storage drives will also be attacked. Windows system files will not be encrypted to avoid damaging the operating system.

In the ransom note, the cybercriminal informs the victim that their data has been stripped. Therefore, if the ransom requirements are not met, the cybercriminals will publicly post and/or sell the data.

The time limit for the victim to prepare the ransom is 4 days, the victim can contact or negotiate with the attackers via a Tor site.

Currently, the White Rabbit only attacks certain entities. However, with the connection to FIN8, researchers fear that it will become a threat to many companies and businesses in the near future.

At this point, White Rabbit can be prevented by standard anti-ransomware measures as follows:

Implement multi-layered detection and response solutions.
Create an incident response handbook to prevent and recover from an attack.
Conduct simulations of ransomware attacks to identify vulnerabilities and evaluate performance.
Perform backups, test backups, verify backups, and store backups offline.