The new White Rabbit ransomware strain might be linked to FIN8

February 15, 2022
White Rabbit Ransomware Strain FIN8 Threat Group Data Exfiltration Extortion US

A relatively new ransomware strain called White Rabbit is allegedly affiliated with the FIN8 threat group. According to reports, the ransomware group claimed a US-based banking institution as the latest victim last December 2021.

A ransomware actor first revealed the data about White Rabbit on Twitter. After the tweet, a researcher examined the latest ransomware sample and provided a more comprehensive report about it.

From the released report, the ransomware targets removable drives, network drives, and local hard drives that could be encrypted by the White Rabbit threat group if compromised. However, the ransomware carefully avoids the Windows system folders to prevent the operating system from becoming unbootable or unusable.

Furthermore, the stolen files of White Rabbit will be uploaded by them into file[.]io and other services to serve as a piece of evidence that they acquired critical data from their target. After uploading the evidence, White Rabbit victims are advised to negotiate with the threat actors on a given Tor website.

The threat actors will then threaten to send their stolen data to data protection law enforcement if the victim does not provide a ransom demand. It is an effective threat since the GDPR can impose penalties on the victim if their data is leaked or exposed.

 

The researchers also found evidence in the White Rabbit ransomware’s distribution phase linking the FIN8 threat group to them.

 

Another cybersecurity expert discovered some similarities since both ransomware utilises Badhatch backdoor and PowerShell artefacts. This discovery further confirms a connection between the two malicious entities.

Lastly, the experts have discovered numerous TTPs showing that the White Rabbit imitates more threat groups that independently conduct attacks.

The White Rabbit ransomware is an up-and-coming threat group, and experts believe it may soon result in a massive threat. To defend against such threats, the best recommendation is to release a cross-layered response and effective detection solutions. It is also vital for organisations to develop an incident response playbook for cyberattack mitigation and prevention.

About the author

Leave a Reply