Jump to content
  • New Rorschach ransomware is the fastest encryptor seen so far


    • 4 minutes

    • 4 minutes

    Following a cyberattack on a U.S.-based company, malware researchers discovered what appears to be a new ransomware strain with "technically unique features," which they named Rorschach.


    Among the capabilities observed is the encryption speed, which, according to tests from the researchers, would make Rorschach the fastest ransomware threat today.


    The analysts found that the hackers deployed the malware on the victim network after leveraging a weakness in a threat detection and incident response tool.

    Rorschach details

    Researchers at cybersecurity company Check Point, responding to an incident at a company in the U.S., found that Rorschach was deployed using the DLL side-loading technique via a signed component in Cortex XDR, the extended detection and response product from Palo Alto Networks.


    The attacker used the Cortex XDR Dump Service Tool (cy.exe) version to sideload the Rorschach loader and injector (winutils.dll), which lead to launching the ransomware payload, “config.ini,” into a a Notepad process.


    The loader file features UPX-style anti-analysis protection, while the main payload is protected against reverse engineering and detection by virtualizing parts of the code using the VMProtect software.


    Check Point reports that Rorschach creates a Group Policy when executed on a Windows Domain Controller to propagate to other hosts on the domain. After compromising a machine, the malware erases all event logs.



    Attack chain (Check Point)


    While it comes with hardcoded configuration, Rorschach supports command-line arguments that expand functionality.


    Check Point notes that the options are hidden and can't be accessed without reverse engineering the malware. Below are some of the arguments the researchers discovered:



    Arguments decoded by Check Point


    Rorschach's encryption process


    Rorschach will start encrypting data only if the victim machine is configured with a language outside the Commonwealth of Independent States (CIS).


    The encryption scheme blends the curve25519 and eSTREAM cipher hc-128 algorithms and follows the intermittent encryption trend, meaning that it encrypts the files only partially, lending it increased processing speed.



    Rorschach encryption scheme (Check Point)


    The researchers note that Rorschach’s encryption routine indicates "a highly effective implementation of thread scheduling via I/O completion ports."


    “In addition, it appears that compiler optimization is prioritized for speed, with much of the code being inlined. All of these factors make us believe that we may be dealing with one of the fastest ransomware out there.” - Check Point

    To find how fast Rorschach’s encryption is, Check Point set up a test with 220,000 files on a 6-core CPU machine.


    It took Rorschach 4.5 minutes to encrypt the data, whereas LockBit v3.0, considered the fastest ransomware strain, finished in 7 minutes.


    After locking the system, the malware drops a ransom note similar to the format used by the Yanlowang ransomware.


    According to the researchers, a previous version of malware used a ransom note similar to what DarkSide used.


    Check Point says that this similarity is likely what caused other researchers to mistake a different version of Rorschach with DarkSide, an operation that rebranded to BlackMatter in 2021, and disappeared the same year.



    Latest ransom note dropped by Rorschach (Check Point)


    BlackMatter's members alter formed the ALPHV/BlackCat ransomware operation that launched in November 2021.


    Check Point assesses that Rorschach has implemented the better features from some of the leading ransomware strains leaked online (Babuk, LockBit v2.0, DarkSide).


    Along with the self-propagating capabilities, the malware "raises the bar for ransom attacks."


    At the moment the operators of the Rorschach ransomware remain unknown and there is no branding, something that is rarely seen on the ransomware scene.



    User Feedback

    Recommended Comments

    There are no comments to display.

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...