New White Rabbit Ransomware Possibly Run by FIN8 APT

Security researchers have spotted a new ransomware variant that belongs to its own family. The ransomware has been named White Rabbit and is believed to have connections to the advanced persistent threat actor known as APT8.

APT8 is the designator given to a financially motivated APT that was first spotted in 2018 and launched attacks against organizations in the retail and hospitality industries.

According to Trend Mirco's report on the White Rabbit ransomware, the new strain shares some similarities with the older Egregor ransomware when it comes to covering its tracks and staying undetected.

First Detections and Examination

The first detections of White Rabbit activity date back to mid-December 2021. On the same day when security firm Lodestone published an article on White Rabbit, independent security researcher Michael Gillespie also published a post on White Rabbit on his Twitter account. Gillespie's post also included the ransomware's note, dropped alongside every single encrypted file, together with the miniature ASCII-art rabbit included in the ransom note text file.

The ransom note makes an effort to scare the victim into the classic double-extortion scenario. White Rabbit claims that the victim's data has not only been encrypted but has also been exfiltrated and will be leaked if the ransom is not paid.

Trend Micro also spotted that the instance of White Rabbit they analyzed used the password "KissMe" to decrypt the payload's internal configuration and launch the actual ransomware. A very similar method was used by samples of the Egregor ransomware that researchers analyzed years ago.

Even though researchers are not completely certain White Rabbit is operated by the FIN8 APT, there are a number of similar techniques and methods of reconnaissance and infiltration shared between White Rabbit and past FIN8 attacks.

Methods of Encryption

When White Rabbit encrypts files, it appends the .scrypt extension to each scrambled file, then drops a second instance with the .scrypt.txt extension for each encrypted file. The ransomware steers clear of important system directories in order to allow the target system to function normally. Folders that are not touched by White Rabbit include the Windows folder and both Program Files folders. Files that potentially belong to system drivers are also not encrypted.

January 19, 2022
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.