A Look at FIN8 Hackers’ White Rabbit Ransomware
Table of Contents
- By David Lukic
- Published: Jan 19, 2022
- Last Updated: Mar 18, 2022
The hacking collective known as FIN8 appears to be using a new form of ransomware referred to as White Rabbit. Here is a quick look at the new form of ransomware and an explanation as to why it is emerging as a major digital security hurdle.
What, Exactly, is White Rabbit?
White Rabbit ransomware is a double-extortion attack that conceals itself through a command-line password with the text of “KissMe.” The White Rabbit attack also decorates its ransomware message with artful pictures of ASCII rabbits that add creative insult to injury. Cyber security experts consider White Rabbit to be a comprehensive ransomware family as opposed to a single attack that occurs in a silo.
Why is White Rabbit a Problem?
White Rabbit ransomware attacks were levied on a bank located in the United States earlier in January. Digital security forensics specialists believe the attack is linked to FIN8. FIN8 is a group of digital criminals considered to be an advanced persistent threat that zeroes in on targets for financial gain. The most concerning aspect of White Rabbit is that it conceals itself in a manner that prevents digital security professionals from finding it.
The masterminds behind the White Rabbit ransomware attacks are replicating the strategy of the Egregor ransomware family to expertly conceal the infiltration. Egregor insists it is responsible for the digital attack on Barnes & Noble bookstores in the fall of 2020. Egregor is a RaaS specialist, meaning ransomware-as-a-service. Egregor’s digital infiltrations were so destructive that the FBI stepped in to warn the general public about the collective’s attacks in the aftermath of breaches at 150+ targeted organizations.
Is White Rabbit Completely Undetectable?
Though White Rabbit is difficult to identify and trace, it is possible to track it. The ransomware has been identified by several digital security groups. A digital forensics group known as Lodestone Investigations team detected White Rabbit in mid-December.
It appears as though the initial identification of this unique ransomware attack dates back to mid-July when FIN8 hackers executed a PowerShell script. This script contained script blocks nearly identical to those detailed in the July article written by Bitdefender in reference to FIN8.
The White Rabbit attack is also unique in that it uses a nuanced command-line string of text that functions as a password for the decryption of its configuration. Once the decryption occurs, the ransomware launches. The ransomware’s accepted arguments consist of the acronym of “pflt.” The “p” of this string of letters stands for password. The “f” stands for file for encryption. The “l” stands for logfile. The “t” refers to the time at which the attack commences.
What Does the White Rabbit Ransom Note Look Like?
The White Rabbit ransom note is fairly unique in that it features images of bunnies and communicates to victims that the infrastructure of their network has been breached. The breach spurs the leak of sensitive data and the encryption of files. This double extortion approach is becoming that much more popular among RaaS attackers. If the ransom is not paid, the encrypted data is either sold on the black market or published on the internet for everyone to view.
