Rewterz Threat Alert – New Ransomware Identified – White Rabbit – Active IOCs

Severity

High

Analysis Summary

A new strain of ransomware has been observed in the retail, restaurant, and financial environments. The ransomware has been identified as White Rabbit. through OSINT (open-source intelligence) we can hypothesize that White Rabbit is linked to, or affiliated with the FIN8 APT group. 

PUNCHBUGGY and PUNCHTRACK are backdoor and scraping malware that are part of the TTPs (tactics, techniques, and procedures) of FIN8. The attack vectors used by the APT make them highly elusive and persistent. Security researchers also state that White Rabbit ransomware may have taken inspiration from Egregor ransomware which is far more established.

“This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis,” the researchers pointed out, adding that “other samples might use a different password” than KissMe.    

Ransom Note from White Rabbit

Impact

• Financial Loss
• Data Theft
• File Encryption

Indicators of Compromise

Filename

• Default[.]dll

IP

• 104[.]168[.]132[.]128

MD5

• 655c3c304a2fe76d178f7878d6748439
• 087f82581b65e3d4af6f74c8400be00e

SHA-256

• 03e8b29ad5055f1dda1b0e9353dc2c1421974eb3d0a115d0bb35c7d76f50de20
• 4ee21b5fd8597e494ae9510f440a1d5bbcdb01bc653226e938df4610ee691f3a

SHA-1

• ea2033e3c6190a2a025c288cdf429894dc86721b
• ec35eeb8afaf0d7521ac098c20acfbb1680fd3d8

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Implement Incident Response plans in your organization.