New Rorschach ransomware is the fastest encryptor seen so far

New Rorschach ransomware is the fastest encryptor seen so far

Following a cyberattack on a U.S.-based company, malware researchers discovered what appears to be a new ransomware strain with “technically unique features,” which they named Rorschach.

Among the capabilities observed is the encryption speed, which, according to tests from the researchers, would make Rorschach the fastest ransomware threat today.

The analysts found that the hackers deployed the malware on the victim network after leveraging a weakness in a threat detection and incident response tool.

Rorschach details

Researchers at cybersecurity company Check Point, responding to an incident at a company in the U.S., found that Rorschach was deployed using the DLL side-loading technique via a signed component in Cortex XDR, the extended detection and response product from Palo Alto Networks.

The attacker used the Cortex XDR Dump Service Tool (cy.exe) version 7.3.0.16740 to sideload the Rorschach loader and injector (winutils.dll), which lead to launching the ransomware payload, “config.ini,” into a a Notepad process.

The loader file features UPX-style anti-analysis protection, while the main payload is protected against reverse engineering and detection by virtualizing parts of the code using the VMProtect software.

Check Point reports that Rorschach creates a Group Policy when executed on a Windows Domain Controller to propagate to other hosts on the domain.

After compromising a machine, the malware erases four event logs (Application, Security, System and Windows Powershell) to wipe its trace.

Attack chain
Attack chain (Check Point)

While it comes with hardcoded configuration, Rorschach supports command-line arguments that expand functionality.

Check Point notes that the options are hidden and can’t be accessed without reverse engineering the malware. Below are some of the arguments the researchers discovered:

Arguments decoded by Check Point
Arguments decoded by Check Point

Rorschach’s encryption process

Rorschach will start encrypting data only if the victim machine is configured with a language outside the Commonwealth of Independent States (CIS).

The encryption scheme blends the curve25519 and eSTREAM cipher hc-128 algorithms and follows the intermittent encryption trend, meaning that it encrypts the files only partially, lending it increased processing speed.

Rorschach encryption scheme
Rorschach encryption scheme (Check Point)

The researchers note that Rorschach’s encryption routine indicates “a highly effective implementation of thread scheduling via I/O completion ports.”

“In addition, it appears that compiler optimization is prioritized for speed, with much of the code being inlined. All of these factors make us believe that we may be dealing with one of the fastest ransomware out there.” – Check Point

To find how fast Rorschach’s encryption is, Check Point set up a test with 220,000 files on a 6-core CPU machine.

It took Rorschach 4.5 minutes to encrypt the data, whereas LockBit v3.0, considered the fastest ransomware strain, finished in 7 minutes.

After locking the system, the malware drops a ransom note similar to the format used by the Yanlowang ransomware.

According to the researchers, a previous version of malware used a ransom note similar to what DarkSide used.

Check Point says that this similarity is likely what caused other researchers to mistake a different version of Rorschach with DarkSide, an operation that rebranded to BlackMatter in 2021, and disappeared the same year.

Latest ransom note dropped by Rorschach
Latest ransom note dropped by Rorschach (Check Point)

BlackMatter’s members alter formed the ALPHV/BlackCat ransomware operation that launched in November 2021.

Check Point assesses that Rorschach has implemented the better features from some of the leading ransomware strains leaked online (Babuk, LockBit v2.0, DarkSide).

Along with the self-propagating capabilities, the malware “raises the bar for ransom attacks.”

At the moment the operators of the Rorschach ransomware remain unknown and there is no branding, something that is rarely seen on the ransomware scene.


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn