What You Need to Know About the New White Rabbit Ransomware

Since it was initially detected in late 2021, White Rabbit ransomware has emerged as a sophisticated threat. It exploits financial institutions' vulnerabilities and underlines the need for robust ransomware protection measures. Michael Gillespie, an authority on ransomware identification and founder of the ID Ransomware Service, was the first to spotlight this threat. The service lets you upload a ransom note or sample encrypted file to identify the ransomware that has encrypted your data. So, he knows his stuff.

Out of Hat: The Emergence of White Rabbit

An attack on an unnamed local U.S. bank, as reported by Threatpost and analyzed by cybersecurity firm Lodestone, showcases these criminals' targeted approach, which is believed to be the work of the Fin8 group. The group’s focus on financial institutions, including the deployment of new backdoors, raises significant concerns regarding the security of these vital entities—and the need for advanced ransomware strategies.

How White Rabbit Works

Understanding how malware works and its impacts on your organization can help you better combat this threat. Here’s how it breaks down:

Initial infiltration

White Rabbit often infiltrates systems using sophisticated phishing campaigns or exploiting network security vulnerabilities. This may involve deceptively realistic emails that trick users into executing the ransomware or exploiting unpatched vulnerabilities.

Stealth and Evasion Techniques

Once White Rabbit penetrates your system, it is designed to operate stealthily. Its small size—around 100 KB—and the requirement for a specific command-line password to initiate its payload decryption make it hard to detect with standard antivirus software. This evasion technique means the malware can lay dormant, without being detected, until the cybercriminals decide to activate it.

Encryption Mechanism

When the executable is opened with the correct password, White Rabbit scans the system for target files and begins encryption. Its robust encryption algorithms lock your files, making them inaccessible without the decryption key. The encryption targets many file types, removable devices, and network drives. 

Notably, it excludes Windows system folders because encrypting these would render the system inoperable while alerting users that an attack is occurring. It also creates a ransom note for each file it encrypts. 

Removal and Decryption Is Available, But Prevention Is Better

PC Risk offers a White Rabbit removal guide that can at least help you identify and eliminate the malware from your systems. But prevention is a better approach.

Meanwhile, Trend Micro offers these suggestions for mitigating the risks of White Rabbit:

• Deploy cross-layered detection and response solutions. Find solutions to anticipate and respond to ransomware activities, techniques, and movements before the threat culminates.
• Create a playbook for attack prevention and recovery. An incident response (IR) playbookand IR frameworks allow organizations to plan for different attacks, including ransomware.
• Conduct attack simulations. Expose employees to a realistic cyberattack simulation to help decision-makers, security personnel, and IR teams identify and prepare for potential security gaps and attacks.

Here are some additional steps you must take to prevent ransomware attacks and ensure recovery:

• Implement advanced threat detection and response tools, like Sophos Intercept X Advanced for Server, which is included with Arcserve solutions. Intercept X uses AI to deliver advanced endpoint protection proactively. It combines signature-based and signatureless malware detection, a deep learning neural network, anti-exploit technology, CryptoGuard anti-ransomware, and WipeGuard boot-record protection.

• Follow the 3-2-1-1 strategy, which ensures your data can always be recovered by employing immutable backup storage. Immutable backups are written once and can never be altered or deleted by unauthorized users.

Get Expert Help With Data Protection

Arcserve Technology Partners can help you deploy the most effective—and cost-effective—prevention, backup, and disaster recovery solution to meet your requirements.

Find an Arcserve Technology Partner.