Following a cyberattack on a U.S.-based company, malware researchers discovered what appears to be a new ransomware strain with "technically unique features," which they named Rorschach.
Among the capabilities observed is the encryption speed, which, according to tests from the researchers, would make Rorschach the fastest ransomware threat today.
The analysts found that the hackers deployed the malware on the victim network after leveraging a weakness in a threat detection and incident response tool.
Rorschach details
Researchers at cybersecurity company Check Point, responding to an incident at a company in the U.S., found that Rorschach was deployed using the DLL side-loading technique via a signed component in Cortex XDR, the extended detection and response product from Palo Alto Networks.
The attacker used the Cortex XDR Dump Service Tool (cy.exe) version 7.3.0.16740 to sideload the Rorschach loader and injector (winutils.dll), which lead to launching the ransomware payload, “config.ini,” into a a Notepad process.
The loader file features UPX-style anti-analysis protection, while the main payload is protected against reverse engineering and detection by virtualizing parts of the code using the VMProtect software.
Check Point reports that Rorschach creates a Group Policy when executed on a Windows Domain Controller to propagate to other hosts on the domain. After compromising a machine, the malware erases all event logs.
Attack chain (Check Point)
While it comes with hardcoded configuration, Rorschach supports command-line arguments that expand functionality.
Check Point notes that the options are hidden and can't be accessed without reverse engineering the malware. Below are some of the arguments the researchers discovered:
Arguments decoded by Check Point
Rorschach's encryption process
Rorschach will start encrypting data only if the victim machine is configured with a language outside the Commonwealth of Independent States (CIS).
The encryption scheme blends the curve25519 and eSTREAM cipher hc-128 algorithms and follows the intermittent encryption trend, meaning that it encrypts the files only partially, lending it increased processing speed.
Rorschach encryption scheme (Check Point)
The researchers note that Rorschach’s encryption routine indicates "a highly effective implementation of thread scheduling via I/O completion ports."
To find how fast Rorschach’s encryption is, Check Point set up a test with 220,000 files on a 6-core CPU machine.
It took Rorschach 4.5 minutes to encrypt the data, whereas LockBit v3.0, considered the fastest ransomware strain, finished in 7 minutes.
After locking the system, the malware drops a ransom note similar to the format used by the Yanlowang ransomware.
According to the researchers, a previous version of malware used a ransom note similar to what DarkSide used.
Check Point says that this similarity is likely what caused other researchers to mistake a different version of Rorschach with DarkSide, an operation that rebranded to BlackMatter in 2021, and disappeared the same year.
Latest ransom note dropped by Rorschach (Check Point)
BlackMatter's members alter formed the ALPHV/BlackCat ransomware operation that launched in November 2021.
Check Point assesses that Rorschach has implemented the better features from some of the leading ransomware strains leaked online (Babuk, LockBit v2.0, DarkSide).
Along with the self-propagating capabilities, the malware "raises the bar for ransom attacks."
At the moment the operators of the Rorschach ransomware remain unknown and there is no branding, something that is rarely seen on the ransomware scene.
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.