New White Rabbit Ransomware Strain Has Possible Ties to Egregor
Security researchers published a recent report on a new strain of ransomware. The new ransomware is a member of its own family and has been dubbed White Rabbit, after the cute ASCII bunny that shows up in the ransom note. The ransomware is believed to be related to the advanced persistent threat actor known as APT8.
APT8 is one of the financially motivated APTs on the threat landscape, which has been active since 2018 and has launched ransomware attacks against businesses in the restaurant, hospitality, and retail industries.
Table of Contents
Similarities Between White Rabbit and Egregor
Security firm Trend Micro published a report on the new White Rabbit ransomware and outlined some similarities between the new strain and the previously known Egregor ransomware. The two strains of ransomware have some very similar methods and approaches when it comes to the way they hide their tracks and attempt to avoid detection, even though they are different enough to be classified as two different families.
White Rabbit was first examined in more detail a couple of months ago, just ahead of Christmas 2021. Independent researcher Michael Gillespie published a Twitter post containing screenshots of White Rabbit's full ransom note and a couple of sample encrypted files, showcasing the extension used for encrypted files.
White Rabbit Goes for Double Extortion
The White Rabbit ransomware goes for double extortion - a method that has almost become the norm when it comes to ransomware attacks. The ransom note threatens that the hackers will publish sensitive exfiltrated information if the ransom is not paid. Over the last year, double extortion has become so widespread that if a new threat actor fails to go for it, it's almost a curious exception.
Analysis of White Rabbit's payload showed that the ransomware's initial payload is encrypted and needs to use a password string to decrypt the internal configuration of the final payload. In the sample analyzed by researchers, the password string used for this internal decryption process was "KissMe". The Egregor ransomware used very similar obfuscation techniques to hide its own malicious activity, which led to establishing a possible link between the two ransomware families.
Additionally, some of the techniques and methods used by White Rabbit are very similar to the methodology of the threat actor known as APT8.
Ransom Notes Everywhere!
On the technical level, White Rabbit doesn't do anything incredibly innovative. The ransomware encrypts files on the target system while avoiding any folders and files that are might compromise overall system stability. Directories containing system drivers, Windows OS files, and installed software under Program Files are kept intact. All other user files are encrypted, and the .scrypt extension is added to the encrypted files. The ransomware also drops its ransom note along each and every encrypted file, producing ransom notes named filename.ext.scrypt.txt.