Discovered new ransomware called White Rabbit, related to the notorious FIN8 hacker group
FIN8 is a group that specializes in hacking for money and usually targets financial institutions. Over the past few years, FIN8's main attack method has been to deploy malicious POS software to steal credit card information.
In December 2021, TrendMicro researchers obtained a sample of the White Rabbit ransomware when it attacked a bank in the US. The ransomware executable is a small payload, about 100KB in size, and requires a new password to be entered to decrypt the payload.
The password used to execute the malicious payload has been used in previous ransomware campaigns such as Egregor, MegaCortex, and SamSam.
After entering the correct password, the ransomware executes, which scans all folders on the device and encrypts the files it targets, creating a ransom note for each file it encrypts.
Example: A file named test.txt will be encrypted as test.txt.scrypt and a ransom note will be created with the name test.txt.scrypt.txt.
When encrypting a device, removable hard drives and network storage drives will also be attacked. Windows system files will not be encrypted to avoid damaging the operating system.
In the ransom note, the cybercriminal informs the victim that their data has been stripped. Therefore, if the ransom requirements are not met, the cybercriminals will publicly post and/or sell the data.
The time limit for the victim to prepare the ransom is 4 days, the victim can contact or negotiate with the attackers via a Tor site.
Currently, the White Rabbit only attacks certain entities. However, with the connection to FIN8, researchers fear that it will become a threat to many companies and businesses in the near future.
At this point, White Rabbit can be prevented by standard anti-ransomware measures as follows:
- Implement multi-layered detection and response solutions.
- Create an incident response handbook to prevent and recover from an attack.
- Conduct simulations of ransomware attacks to identify vulnerabilities and evaluate performance.
- Perform backups, test backups, verify backups, and store backups offline.
You should read it
- Bad Rabbit - Petya's new ransomware spreads throughout Eastern Europe
- 7 kinds of ransomware you didn't expect
- List of the 3 most dangerous and scary Ransomware viruses
- Warning: Ransomware is spreading through fake malicious Windows updates
- Ransomware can encrypt cloud data
- General guidelines for decoding ransomware
- What is Ransomware Task Force (RTF)?
- [Infographic] 7 effective ways to protect businesses from Ransomware
- What is BlackCat Ransomware? How to prevent?
- How to decode ransomware InsaneCrypt (Everbe 1.0)
- Why is Ransomware the perfect hack?
- Learn about Ransomware: 6 ransomware on computers
Maybe you are interested
Dangerous 'Helldown' Ransomware Warning Expands to Linux and VMware
Detecting a new ransomware strain that specializes in stealing login information from the Chrome browser
What is extortionware? How is it different from Ransomware?
New ransomware appears attacking Windows operating system
Difference between Cyber Extortion and Ransomware
How to enable ransomware restrictions on Windows