Severity
High
Analysis Summary
A new strain of ransomware has been observed in the retail, restaurant, and financial environments. The ransomware has been identified as White Rabbit. through OSINT (open-source intelligence) we can hypothesize that White Rabbit is linked to, or affiliated with the FIN8 APT group.
PUNCHBUGGY and PUNCHTRACK are backdoor and scraping malware that are part of the TTPs (tactics, techniques, and procedures) of FIN8. The attack vectors used by the APT make them highly elusive and persistent. Security researchers also state that White Rabbit ransomware may have taken inspiration from Egregor ransomware which is far more established.
“This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis,” the researchers pointed out, adding that “other samples might use a different password” than KissMe.
Ransom Note from White Rabbit
Impact
- Financial Loss
- Data Theft
- File Encryption
Indicators of Compromise
Filename
- Default[.]dll
IP
- 104[.]168[.]132[.]128
MD5
- 655c3c304a2fe76d178f7878d6748439
- 087f82581b65e3d4af6f74c8400be00e
SHA-256
- 03e8b29ad5055f1dda1b0e9353dc2c1421974eb3d0a115d0bb35c7d76f50de20
- 4ee21b5fd8597e494ae9510f440a1d5bbcdb01bc653226e938df4610ee691f3a
SHA-1
- ea2033e3c6190a2a025c288cdf429894dc86721b
- ec35eeb8afaf0d7521ac098c20acfbb1680fd3d8
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Implement Incident Response plans in your organization.