This new ransomware comes with a small but dangerous payload

Cybersecurity researchers identify White Rabbit, which is a new ransomware that appears to have links to FIN8, a hacking group that previously focused on finances.
Written by Danny Palmer, Senior Writer

A new form of ransomware that uses discreet techniques to avoid detection before encrypting files and demanding payment in exchange for the decryption key could be linked to a notorious financial crime group. 

White Rabbit ransomware emerged in December 2021 with an attack against a US bank and has since been examined by cybersecurity researchers, who say that the ransomware appears to be connected to FIN8, a financially motivated cyber-criminal gang. 

FIN8 was first identified in 2016 and typically targets point-of-sale (POS) systems with malware attacks designed to steal credit card information. Now it appears that FIN8 could be following the money and shifting towards ransomware campaigns. 

SEE: Your cybersecurity training needs improvement because hacking attacks are only getting worse

According to cybersecurity researchers at Trend Micro, White Rabbit uses tactics that have been seen before, most notably by Egregor, in that it's payload binary requires a specific command-line password before it goes ahead with the ransomware and encryption routine – a technique that allows the payload to remain undetected until it's executed. 

The payload is also hard to detect because the file is small, only 100KB, which appears to show no signs of activity. It contains strings for logging – something that could give away the malicious intent – but these could only be accessed with the correct password. In the sample analysed by Trend Micro, the password was 'KissMe' – although the password could be different for each campaign. 

Like many other ransomware groups, White Rabbit uses double extortion, threatening the victim of the attack with publishing or selling data stolen from the compromised network if a ransom payment isn't received. They also threaten to leak the data if the victim contacts the FBI about the attack. 

It's not detailed how the cyber criminals behind White Rabbit initially compromise networks, but researchers note the use of Cobalt Strike, a penetration-testing tool, to gather information and move around affected systems. 

But something that has been detailed by researchers at cybersecurity company Lodestone is what appears to be a connection between White Rabbit and FIN8. They note that a malicious URL connected to the attack has previously been connected with FIN8 activity. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

In addition to this, Lodestone has identified White Rabbit being used alongside a never-before-seen version of Badhatch, a form of malware designed to create backdoors into compromised networks and that is associated with previous FIN8 campaigns targeting point-of-sale systems. 

"Currently, we are still determining if FIN8 and White Rabbit are indeed related or if they share the same creator. Given that FIN8 is known mostly for its infiltration and reconnaissance tools, the connection could be an indication of how the group is expanding its arsenal to include ransomware," Trend Micro wrote in a blog post. 

For financially motivated cyber criminals, a shift towards ransomware could be seen as desirable because of the amount of money that can be made from encrypting networks, which can reach millions of dollars

It isn't without precedent – cybersecurity researchers have previously detailed how FIN11, an established financial crime group that previously focused on phishing and malware campaigns, changed tactics and switched to ransomware attacks. 


Editorial standards