The newly identified ‘Rorschach’ ransomware uses a highly effective file-encrypting routine that makes it one of the fastest ransomware families out there, cybersecurity firm Check Point warns.
Already making at least one victim in the US, Rorschach can spread itself automatically if executed on a domain controller. The malware is highly configurable, and contains unique functions that separate it from other ransomware families out there.
While it seems to have been inspired by infamous ransomware, Rorschach does not appear linked to other malware families and its operator appears to have no affiliation with known ransomware groups.
Rorschach’s execution relies on three files: cy.exe (Cortex XDR Dump Service Tool) is executed to side-load winutils.dll (loader and injector), which in turn loads config.ini (the Rorschach ransomware itself) in memory and injects it into notepad.exe.
The ransomware spawns multiple processes and provides falsified arguments to them, which it uses to stop specific processes, delete shadow volumes and backups, clear Windows event logs, and disable the Windows firewall.
If executed on a domain controller, the malware creates a group policy that allows it to automatically spread to other machines on the domain.
Rorschach includes safeguards to prevent analysis and can evade defense mechanisms by making direct system calls. While other malware families were seen making direct system calls, this is the first time the functionality is seen in ransomware.
Check Point’s analysis of Rorschach also uncovered multiple built-in options that are hidden and obfuscated and which allow the operators to control the ransomware remotely.
Rorschach also checks the infected system’s language and terminates itself if it detects a language used in the CIS countries, which includes Russia.
One of the most important features that Rorschach has is ‘a highly effective and fast hybrid-cryptography scheme’ that makes it one of the fastest ransomware families out there.
In a controlled encryption speed test, Rorschach encrypted 220,000 files in four minutes and a half, Check Point says. LockBit, which previously emerged as the fastest ransomware, encrypted the same files in seven minutes.
“It turned out that we have a new speed demon in town. What’s even more noteworthy is that the Rorschach ransomware is highly customizable. By adjusting the number of encryption threads via [a] command line argument, it can achieve even faster times,” Check Point notes.
The cybersecurity firm also identified several similarities with other ransomware families, including Babuk (the borrowed hybrid-cryptography scheme), LockBit (the same list of CIS languages and other methods), and Yanlowang (the ransom note).
“Rorschach appears to have taken some of the ‘best’ features from some of the leading ransomwares leaked online, and integrated them all together. In addition to Rorschach’s self-propagating capabilities, this raises the bar for ransom attacks. The operators and developers of the Rorschach ransomware remain unknown. They do not use branding, which is relatively rare in ransomware operations,” Check Point concludes.
Related:CISA Gets Proactive With New Pre-Ransomware Alerts
Related:Ransomware Will Likely Target OT Systems in EU Transport Sector: ENISA
Related: New ‘Trigona’ Ransomware Targets US, Europe, Australia
SecurityWeek RSS Feed
