New Ransomware Family “White Rabbit” Discovered

White rabbit in snowy landscape

IT security firm Trend Micro has discovered a new family of ransomware called “White Rabbit” which is capable of avoiding detection. The firm said White Rabbit has a potential connection to FIN8, an advanced persistent threat group. However, it could not confirm the connection at this time.

Trend Micro first detected the ransomware in an attack against a local US bank in December last year. It added that White Rabbit has similar traits to Egregor, an established ransomware family.

Read on to learn more about White Rabbit and how you can protect yourself.

White Rabbit Requires Specific Command-line Password

At first glance, White Rabbit is not likely to raise suspicion. It is a small file of around 100 KB. Furthermore, it has no notable strings and doesn’t register much activity either.

However, what makes White Rabbit noteworthy is how its ransomware payload binary requires a specific command-line password. This decrypts its internal configuration, after which it proceeds with its ransomware routine.

“This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis,” Trend Micro said in its blog post.

“The telltale sign of its malicious origin is the presence of strings for logging, but the actual behavior would not be easily observed without the correct password,” it added.

White Rabbit’s ransomware routine is not novel or complicated. It uses double extortion, which steals data from victims and also threatens to publish it.

Interestingly, other security researchers found that the malicious URL connected to White Rabbit is related to the advanced persistent threat (APT) group called FIN8. The group is known for being financially motivated and usually carries out phishing campaigns.

Researchers at Lodestone also said White Rabbit uses a version of Badhatch, which is an F5 backdoor that has ties to FIN8.

Trend Micro also said, “given that FIN8 is known mostly for its infiltration and reconnaissance tools, the connection could be an indication of how the group is expanding its arsenal to include ransomware.”

Unfortunately, Trend Micro could not confirm this association. You can read more about FIN8 and one of their high-profile attacks from last year here.

How to Protect Yourself from White Rabbit

Trend Micro recommends the following steps to organizations to mitigate risks associated with ransomware attacks such as White Rabbit:

  • Deploying cross-layered detection and response solutions that can anticipate ransomware threats before culmination
  • Creating an attack prevention and recovery playbook to help organizations prepare for different attack scenarios
  • Conducting simulations to identify potential gaps in their security systems

Organizations need to establish security guidelines to protect themselves against such attacks, especially as new and more harmful iterations of malware come to light.”White Rabbit is likely still in its development phase, considering its uncomplicated ransomware routine. Despite being in this early stage, however, it is important to highlight that it bears the troublesome characteristics of modern ransomware,” Trend Micro stated in its blog.

If you found this story interesting, we recommend checking out our article that explains everything you need to know about ransomware.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.