FIN8 hackers linked to White Rabbit ransomware using double-extortion

The new ransomware that attacked a U.S. bank last month might be related to a financially motivated APT group

FIN8 hacking group possibly linked to ransomwareWhite Rabbit ransomware activities allegedly resemble FIN8 operations

The White Rabbit ransomware was recently caught in the wild and now is possibly linked to the group FIN8. The hacking team is known for various operations aimed at financial organizations by spreading POS malware.[1] The group aims to steal credit card details, and the recent links to this ransomware are believed to be a side-operation of the same APT group. The cryptovirus is focused on double-extortion methods besides general file-locking.[2]

The operation relies on the command-line password “KissMe” to hide the malicious activities, and the ransom note with a bunny art gets delivered.[3] The particular text file is dropped for each file that gets encrypted and marked with the .scrypt appendix. This ransom demand lists that critical data can get leaked and that victims need to contact creators for the proper settlement of the payment before the deletion of those important files begin.

These attackers rely on the double-extortion as many other ransomware gangs these days. The newest reports link the White Rabbit ransomware that affected the U.S. bank systems in December 2021 to the malicious actor group. The report[4] states that particular stealthy features can indicate the connection.

The ransomware features present functions of the advanced attacker

The particular attack of this ransomware started with the distribution of the executable. The payload was included in the 100 KB file that required a password to be entered on the command line execution for the decryption of the malicious payload. The password executes the ransomware, and it is previously known as used in Egregor, MegaCortex, SamSam malware attacks.[5]

Folders on the machine then can be scanned, and the ransomware looks for the possible files that can be encrypted. Each file receives the appendix, and a ransom note is created for each piece ransomware is encrypted. The threat encrypts devices and also targets removable network drivers. These threats affect commonly used data, so system data is not touched to prevent issues with the operating software performance.

The message from criminals that is delivered via text file ransom note informs about the exfiltration and possible data publishing if the payment is not sent and other requirements are not met. Criminals give four days to content them, and then data breach si the possible consequence.

This is the worst thing that can happen to people in large organizations because customer data can be considered sensitive and personally identifiable. Public exposure of such details can result in identity theft and privacy issues. This fact and the large financial value of such organizations make financial field companies a common target of threat actors.

Features that indicate links to FIN8

The particular deployment techniques from these White Rabbit ransomware attacks linked to the FIN8 APT group operations in the past. The particular deployment stages show the use of a backdoor that is never used before by anyone else except the FIN group.

The custom backdoor Badhatch should be kept by the developers and it is not common for criminals to share these creations with other attackers. Other similarities were linking PowerShell artifacts to particular operations of the group over the summer. The ransomware is not widely spread, and operations are targeting particular entities, but companies might hear this name in the future.

It is especially crucial for organizations because the threat can implement particular persistent features since threat actors behind the malware are not new in this field, and financially motivated criminals can be capable of much more.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions