A new family of ransomware — called “White Rabbit” — could be targeting banks.

A U.S. bank was attacked in December, according to security firm Trend Micro. Although Trend Micro didn’t provide attack specifics, ransomware attacks typically steal customer account data and threaten to release it – typically on the dark web — unless the financial institution pays a ransom.

The ransomware “carries a potential connection to the advanced persistent threat (APt) group FIN8,” according to cybersecurity firm Trend Micro. FIN8 is a financially motivated cybergang that has previously targeted the retail, hospitality and entertainment industries with tailored spearphishing campaigns using the downloader Punchbuggy and point-of-sale (POS) malware Punchtrack.

White Rabbit appears to be in the testing phase, according to Trend Micro. Its success as ransomware will rely on exploiting a compromise within a network, Tom Atkins, a vice president of sales at identity detection and response provider Attivo Networks, told Bank Automation News.

“The key thing to remember about modern ransomware, and in particular White Rabbit ransomware, is that the attack isn’t successful unless the attacker can encrypt tens of thousands of systems within their target,” Atkins said. “There must be a compromise that allows for malicious software distribution inside a network,” in order for it to succeed, he added.

Seldom discussed is what comes after the initial malware compromise.

“This is ironic because what costs ransomware victims’ money is not the initial incursion, but rather the threat actor’s ability to successfully distribute malicious software inside an organization,” Atkins told BAN.

Trend Micro described what makes White Rabbit unique in a Jan. 18 blog post.

“One of the most notable aspects of White Rabbit’s attack is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine,” the blog post said. “White Rabbit’s payload is inconspicuous at first glance, being a small file of around 100 KB with no notable strings and seemingly no activity.”

The ransomware’s attack can be identified by the presence of strings – or sequence of characters– for logging in, although the security firm noted that actual behavior wouldn’t be easily observed without the correct password.

Researchers from Lodestone Security, which specializes in cyber defense and incident response in the U.S, reported that White Rabbit uses a previously unseen version of Badhatch, an F5 backdoor also associated with the FIN8 cybergang, according to the blog post.

The ransomware creates a note for each file that it encrypts, which bears the name of the encrypted file and is appended with “.scrypt.txt,” according to Trend Micro. Before running its routine, it also ends several processes and services, including those related to antivirus.

Bank Automation Summit, taking place March 1-2 in Charlotte, is the first and only event to focus solely on automation in banking. The event will feature the brightest minds from across financial services on intelligent automation strategies and deployment. Learn more and register here for Bank Automation Summit 2022.