A recently identified strain of ransomware, dubbed “White Rabbit,” has emerged, likely linked to the financially motivated threat actor known as FIN8. This malware was reportedly employed in an attack against a U.S.-based local bank in December 2021.
According to research by Trend Micro, the technical characteristics of White Rabbit exhibit notable similarities to Egregor, a ransomware operation dismantled by Ukrainian authorities in February 2021. The researchers highlighted that White Rabbit’s binary payload necessitates a specific command-line password for the decryption of its internal configuration, a tactic previously observed in Egregor’s methodology to obscure malicious activities from forensic scrutiny.
White Rabbit not only borrows from Egregor’s playbook but also adheres to a double extortion model—an approach gaining traction among ransomware groups. This strategy involves exfiltrating sensitive data before executing encryption routines, pressuring victims to pay to prevent the public release of their compromised information.
The ransom note issued after encryption warns victims of impending data publication or sale if they do not comply within a four-day timeframe. This document further asserts intentions to inform regulatory bodies and the media about the breach, underscoring the pressure tactics now commonplace in ransomware demands.
Although overt attacks using White Rabbit have only recently come to light, forensic analysis indicates that malicious activities tied to this ransomware may date as far back as July 2021. Samples traced back to August 2021 suggest that White Rabbit is an evolved variant of the Sardonic backdoor, previously linked to unsuccessful cyber operations aimed at U.S. financial institutions.
Citing a report from cybersecurity firm Lodestone, the connections between White Rabbit and FIN8 remain unclear, yet numerous tactics and techniques employed by White Rabbit suggest a potential close relationship or mimicry of FIN8’s operational methods. FIN8 is predominantly recognized for its infiltration and reconnaissance capabilities, hinting that White Rabbit may be expanding its operational tactics to encompass ransomware.
The targets of White Rabbit have thus far been limited, indicating they may still be conducting initial tests of their ransomware capabilities or preparing for broader, more significant assaults. This tentative approach serves as a warning for organizations to bolster their defenses as ransomware tactics evolve.
