A new ransomware family believed to be a part of the FIN8 hacking group has been discovered that had claimed a U.S.-based local bank as its victim in December 2021.
About White Rabbit
The information regarding White Rabbit was first disclosed by a ransomware expert via a tweet. Later, researchers from Trend Micro analyzed a sample and provided a detailed report.
- Apart from encrypting the local hard drives, the ransomware targets removable and network drives as well. Windows system folders are avoided to prevent the operating system from becoming unusable or unbootable.
- Further, the evidence of the stolen files is uploaded to paste[.]com and file[.]io services and the victim is urged to negotiate with the attackers on a Tor website.
- Hackers threaten to send the stolen data to data protection authorities if a ransom demand isn’t met, which may result in imposed penalties by the GDPR.
Attribution
Trend Micro found evidence in the ransomware's deployment stage that connects the FIN8 group with White Rabbit.
- Lodestone found some similarities, such as the use of the same Badhatch backdoor and PowerShell artifacts, further confirming the connection between the two groups.
- Moreover, Lodestone spotted a number of TTPs implying that White Rabbit imitates more established threat groups when operating independently.
Conclusion
The White Rabbit ransomware is an emerging threat and researchers suspect that it may end up becoming a severe threat in the future. Thus, to defend against such threats, the best recommendation is to deploy cross-layered detection and response solutions. Additionally, organizations are suggested to create an incident response playbook for attack prevention and mitigation.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/d165_shutterstock_1703235064.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/19d2_shutterstock_240941041.jpg)
