What You Need to Know About the New White Rabbit Ransomware

JANUARY 25TH, 2022

White Rabbit ransomware’s first public mention came in a December 14, 2021 tweet from ransomware expert Michael Gillespie, seeking a sample of the malware, says Bleeping Computer. Gillespie is also the creator of the ID Ransomware service. This website lets you upload a ransom note or sample encrypted file to identify the ransomware that has encrypted your data. So he knows his stuff.

Threatpost says this new ransomware family was used to attack an unnamed local U.S. bank, with cybersecurity firm Lodestone posting that its forensic investigations team had responded to a client whose environment was affected by White Rabbit on December 14, 2021. Lodestone notes that White Rabbit may be another nasty gift from financially motivated threat group Fin8. And it shouldn’t be surprising that financial institutions are a Fin8 target, with Bank Infosecurity posting in August 2021 that Fin8 targeted two unnamed financial institutions with a new backdoor.

What Is White Rabbit Ransomware?

Cybersecurity firm Trend Micro notes that the White Rabbit ransomware executable can be hard to spot because it’s small—a 100 KB file—with no notable strings and seemingly no activity. Its malicious origin can be found in its presence in strings for logging. Still, the behavior itself can’t be easily observed without entering a specific command-line password to decrypt the malicious payload. Once executed with the correct password, the ransomware scans all folders on the device and encrypts targeted files. It also creates a ransom note for each file it encrypts. Here’s a screen capture of the ransom note:


When the ransomware encrypts a device, removable and network drives are also targeted, with Windows system folders excluded from encryption so the attack doesn’t render the operating system unusable, too.

Lodestone also shares its analysis of events that led to it concluding that Fin8 was behind White Rabbit, including evidence of the strain, the top URLs for communication with the hackers, and the login page for the White Rabbit communication channel. You’ll also find a detailed analysis from Trend Micro here.

What Should You Do About White Rabbit?

Trend Micro offers these suggestions for mitigating the risks from White Rabbit:

  • Deploy cross-layered detection and response solutions. Find solutions that can anticipate and respond to ransomware activities, techniques, and movements before the threat culminates.
  • Create a playbook for attack prevention and recovery. An incident response (IR) playbookand IR frameworks allow organizations to plan for different attacks, including ransomware.
  • Conduct attack simulations. Expose employees to a realistic cyberattack simulationto help decision-makers, security personnel, and IR teams identify and prepare for potential security gaps and atta

We’d like to add that the best way to mitigate the impacts of any successful ransomware attack is to ensure you can recover your data. Arcserve offers the broadest portfolio of data protection and management solutions available under one roof that do just that—and much more.

Stay Tuned

We’ll share updates as more facts—and incidents—come to light regarding White Rabbit. Until the, contact us to talk to an Arcserve data protection expert or check out our free trial offers.