A New Ransomware Was Linked to FIN8 Hacking Group
The White Rabbit Ransomware Was Recently Discovered in the Wild.
FIN8 is a financially motivated malicious actor who has been observed attacking financial institutions for numerous years, notably by deploying POS malware capable of stealing credit card information.
As Antonia reports in her article, the financially motivated group FIN8 is notorious for organizing multiple customized phishing operations that are mostly targeting industries such as healthcare, entertainment, retail, and hospitality.
During the attacks, the threat actor used the downloader PunchBuggy and POS malware PunchTrack in an attempt to steal payment card data from Point-of-Sale (POS) systems.
What Is White Rabbit?
A new ransomware family dubbed ‘White Rabbit’ has just appeared in the wild, and according to recent research results, it might be a side-project of the FIN8 hacker gang.
We spotted the new ransomware family White Rabbit discretely making a name for itself by executing an attack on a local US bank in December 2021. This newcomer takes a page from Egregor, a more established ransomware family, in hiding its malicious activity and carries a potential connection to the advanced persistent threat (APT) group FIN8.
The White Rabbit ransomware was first mentioned publicly in a tweet by ransomware researcher Michael Gillespie, who was looking for a copy of the virus.
🔒 #Ransomware Hunt: “White Rabbit” with extension “.scrypt”, drops note for each encrypted file with “<filename>.scrypt.txt” with victim-specific information: https://t.co/ZjVay8A3Ch
“Follow the White Rabbit…” 🐰🤔 pic.twitter.com/lhzHi5t1KK
— Michael Gillespie (@demonslay335) December 14, 2021
As reported by BleepingComputer, the ransomware executable is a modest payload (100 KB) that requires a password to be provided during command-line execution to decode the harmful payload.
When the ransomware is activated with the right password, it will search all folders on the device and encrypt selected files, writing ransom notes for each item it encrypts.
A file named test.txt, would be encrypted as test.txt.scrypt, and a ransom note would be written as test.txt.scrypt.txt. Encrypting a device also targets detachable and network devices, with Windows system directories exempt from encryption to avoid rendering the operating system inoperable.
The ransom letter notifies the victim that their files have been stolen and threatens to publicize and/or sell the stolen material if the demands are not satisfied.
According to the Trend Micro research, evidence linking FIN8 and ‘White Rabbit’ may be found in the ransomware’s dissemination stage.
More precisely, the new ransomware employs a never-before-seen variant of Badhatch (aka “Sardonic”), a FIN8-related backdoor.
These performers often keep their unique backdoors to themselves and continue to develop them in secret.
This discovery is supported by a separate investigation on the same ransomware family conducted by Lodestone researchers.
They discovered Badhatch in ‘White Rabbit’ assaults, as well as PowerShell artifacts resembling FIN8-related behavior from last summer.
At the moment, experts are attempting to determine whether the malware is linked to FIN8.
Currently, we are still determining if FIN8 and White Rabbit are indeed related or if they share the same creator. Given that FIN8 is known mostly for its infiltration and reconnaissance tools, the connection could be an indication of how the group is expanding its arsenal to include ransomware. So far, White Rabbit’s targets have been few, which could mean that they are still testing the waters or warming up for a large-scale attack.
How Can Heimdal™ Help?
Ransomware is one of the most common and most dangerous cyber threats of today, with possibly lethal consequences. Learning how to prevent it should be a top priority for any company interested in keeping its employees, clients, partners, assets, money, and business operations safe.
In the fight against ransomware, Heimdal Security is offering its customers an outstanding integrated cybersecurity suite including the Ransomware Encryption Protection module, that is universally compatible with any antivirus solution, and is 100% signature-free, ensuring superior detection and remediation of any type of ransomware, whether fileless or file-based (including the most recent ones like LockFile).