[MART] - Daily Diary #433 - Meet A New Ransomware: WhiteRabbit

Tue Jan 18 21:21:51 UTC 2022

Hello,
I hope everyone is doing well!

Below is the entry for today.

18/01/2021 - Diary entry #433

This week a new Ransomware operation was disclosed. Dubbed White Rabbit, the ransomware follows the trend on double-extortion, encrypting files over a .scrypt extension and threatening to leak sensitive data online if the ransom is not paid in 4 days. WhiteRabbit is a human-driven ransomware, probably dropped after a backdoor/botnet infects the network and enough sensitive data is stolen.

After infecting the device and encrypting the files, WhiteRabbit drops a very unique ransom file. Besides claiming responsibility for the files encryption, the file contains a very detailed step-by-step manual on how the users can contact the attackers. The manual also contains links with proof of stolen data and a list of "forbidden" actions: The deletion of the note, trying to edit or recover the files, shutting down the PC, and hire FBI/CIA. This last action would result in termination of communication and all leaked data would be shared for free. All the communication with the attackers is over a Tor hosted website.

The new ransomware runs over a small payload (100KB) that needs to be executed with a correct command line with a specific password, so the next stage payload can be decrypted and executed in memory. After the execution starts, the ransomware scans for directories on the device and encrypt targeted files, dropping a ransom note for each file containing the encryption key at the end of the ransom note.

By forbidding the communication with law enforcement, this incident shows how effective the recent operations are and the effects on cybercrime. The ransomware gangs are finally seeing consequences to their actions, and therefore we expect similar approaches to be taken by other groups, enduring their threats to avoid being investigated. We highly recommend to anyone affected to never pay the ransom, as this does not guarantee neither the files back nor that your data will never be published. Contacting law enforcement is also more than recommended, as this is the only way to make the attackers (eventually) pay the price.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220118/c75acc63/attachment.htm>