New Ransomware Spotted: White Rabbit and Its Evasion Tactics

The ransomware creates a note for each file it encrypts. Each note bears the name of the encrypted file and is appended with ".scrypt.txt." Prior to the ransomware routine, the malware also terminates several processes and services, particularly antivirus-related ones. 

The malware then tries to encrypt files (if the -f argument is not given) in fixed, removable, and network drives, as well as resources. It also tries to skip the following paths and directories to avoid crashing the system and destroying its own notes:

• *.scrypt.txt
• *.scrypt
• c:windows*
• *:sysvol*
• *:netlogon*
• c:filesource*
• *.exe
• *.dll
• *desktop.ini
• *:windows*
• c:programdata*
• *:programfiles*
• *:program files (x86)*
• *:program files (x64)*
• *.lnk
• *.iso
• *.msi
• *.sys
• *.inf
• %User Temp%*
• *thumbs.db

Conclusion

Currently, we are still determining if FIN8 and White Rabbit are indeed related or if they share the same creator. Given that FIN8 is known mostly for its infiltration and reconnaissance tools, the connection could be an indication of how the group is expanding its arsenal to include ransomware. So far, White Rabbit's targets have been few, which could mean that they are still testing the waters or warming up for a large-scale attack.

White Rabbit is thus likely still in its development phase, considering its uncomplicated ransomware routine. Despite being in this early stage, however, it is important to highlight that it bears the troublesome characteristics of modern ransomware: It is, after all, highly targeted and uses double extortion methods. As such, it is worth monitoring.

A multilayered defense can help guard against modern ransomware and prevent the success of the evasion tactics they employ. Organizations can mitigate risks by taking these steps and employing these solutions:

• Deploy cross-layered detection and response solutions. Find solutions that can anticipate and respond to ransomware activities, techniques, and movements before the threat culminates. Trend Micro Vision One™️ helps detect and block ransomware components to stop attacks before they can affect an enterprise.
• Create a playbook for attack prevention and recovery. Both an incident response (IR) playbook and IR frameworks allow organizations to plan for different attacks, including ransomware.
• Conduct attack simulations. Expose employees to a realistic cyberattack simulation that can help decision-makers, security personnel, and IR teams identify and prepare for potential security gaps and attacks.

Indicators of Compromise (IOCs)

URL:

hxxps://104-168-132-128[.]nip[.]io/cae260