April 5 — A previously unknown ransomware strain, dubbed Rorschach, is now considered one of the fastest ransomware strains ever discovered. The ransomware is “technically unique,” as the malware boasts an ultra-fast encryption capability.
To be specific, Rorschach can encrypt 220,000 local drive files in just four and a half minutes. By comparison, LockBit 3.0 needed roughly double the time to accomplish the same task.
Researchers first observed the ransomware following a recent cyber attack on a U.S.-based company. Analysts found that the attackers deployed the ransomware after exploiting a weakness in a specific threat detection and incident response tool.
“What makes Rorschach stand out from other ransomware strains is its high level of customization and its technically unique features that have not been seen before in ransomware,” said Check Point Research.
Probing Rorschach’s source code revealed similarities to Babuk ransomware and LockBit 2.0. In addition, the ransom notes distributed to victims appear to be inspired by those of the Yanluowang and Darkside ransomware groups.
Another novel facet of this ransomware is the use of direct syscalls to manipulate files and bypass defense mechanisms. Initial propagation is achieved by compromising the domain controller and creating a group policy, says Check Point and South Korean cyber security company, AhnLab.
This ransomware strain, like some other malware observed in recent years, skips machines that are located in the Commonwealth of Independent States (CIS) countries by checking the system language.
A Singapore-headquartered cyber security group stated that it identified Rorschach attacks targeting small and medium-sized companies and industrial firms across Asia, Europe and the Middle East.
“Just as a psychological Rorschach test looks different to each person, this new type of ransomware has high-level technically distinct features taken from different ransomware families – making it special and different from other ransomware families,” says Sergey Shykevich, threat intelligence group manager for Check Point Research. Unique capabilities of the malware include:
- Autonomously carrying out tasks that are usually manual in ransomware strains, such as creating a domain group policy
- A hybrid-cryptography scheme that is the basis of its encryption speed
- Ransom notes that borrow heavily from previous ransomware families
- The list of services to be stopped in Rorschach’s configuration
- The list of languages used to halt the malware
- And, the I/O Completion Ports method of thread
Rorschach was deployed using a DLL side-loading technique via a signed component in Cortex XDR, the extended detection and response product from Palo Alto Networks.
The attacker leveraged the Cortex XDR Dump Service Tool (cy.exe) version 184.108.40.20640 in order to sideload the Rorschach loader and injector, leading to the lauch of the ransomware paloyad, “config.ini” into a Notepad process.
Please see the full set of technical details here. Want to stay up-to-date with trends in technology? Check out the CyberTalk.org newsletter! Sign up today to receive top-notch news articles, best practices and expert analyses; delivered straight to your inbox.