FIN8 Hacker group using new ‘White Rabbit’ Ransomware against U.S. Banks

THREAT LEVEL: Amber.

For a detailed advisory, download the pdf file here.

White Rabbit is a ransomware family that has only recently been discovered. It could be a subsidiary project of the FIN8 hacking gang. A ransomware expert seeking for a sample of the malware made the first public disclosure of the White Rabbit ransomware in a tweet. The ransomware strain was recently deployed against a local bank in the U.S. in December 2021.

The ransomware exe is a short payload (100 KB file) that requires a password to decode the malicious payload when run from the command line. The ransomware scans all folders on the device and encrypts data, leaving ransom notes for each file it encrypts once it has been launched. A file named test[.]txt, for example, will be encrypted as test[.]txt[.]scrypt, and a ransom note called test[.]txt[.]script[.]txt will be produced.

During encrypting a device, network and removable drives are targeted as well, with Windows system directories left unencrypted to prevent the OS from becoming unusable. The ransom note informs the victim that their files or data have been stolen, and that if the demands are not met, the stolen data will be leaked or sold.