White Rabbit Ransomware Uses Double Extortion, Possible FIN8 Connection

A new high-profile file-encryption Trojan has been detected by malware researchers. The first information about its attacks surfaced in December 2021, when it managed to take over the network of a major US banking institution. The threat, dubbed White Rabbit Ransomware, appears to have some similarities with the Egregor Ransomware family. However, it is highly unlikely that the same group of criminals is responsible for the White Rabbit Ransomware.

What is the White Rabbit Ransomware?

File-lockers like this one work by encrypting data on the victim's machine, ensuring that their files are inaccessible. What is peculiar about this particular ransomware family is that it can only run if a password is entered. This is a simple trick to make the task of malware researchers a bit more difficult. However, it might also mean that the criminals are deploying the White Rabbit Ransomware manually since they have to enter a password to run it.

The size of ransomware binary is also incredibly small – just a little over 100KB. Experts suspect that the payload may have been delivered with assistance by a previously planted, cracked Cobalt Strike Beacon – remnants of this implant were found on infected machines.

How is the Attack Carried Out?

Once running, the threat will steal files, and then encrypt the original copies. This double extortion technique is becoming a regular occurrence when talking of high-profile threats. The criminals threaten to leak the victim's sensitive information online unless they pay up. They also tell them that the original files cannot be recovered unless you pay. Unfortunately, the warnings of the criminals are true – there is no recovery option at this time. The best way to tackle ransomware attacks is to take preventive measures to ensure that they do not happen in the first place. Using an up-to-date security software suite is one of the ways to achieve this.

January 19, 2022