What might be the fastest-ever ransomware encryption binary has been spotted in the wild, locking up systems at nearly twice the speed of the notorious LockBit 3.0 malware.
According to speed tests by Check Point Research (CPR), the new baddie on the scene, dubbed "Rorschach," can encrypt 220,000 local drive files in just four and a half minutes. For comparison, LockBit 3.0 accomplished the task in seven minutes, and it's far, far faster than the median encryption time determined in testing last year.
"What's even more noteworthy is that the Rorschach ransomware is highly customizable. By adjusting the number of encryption threads via the command line argument, it can achieve even faster times," according to CPR research issued April 4.
A Patchwork of the Best Ransomware Techniques
Aside from its concerning efficiency, Rorschach is notable because it contains publicly known elements cribbed from leaked source code from other ransomware strains. And interestingly, the operators behind Rorschach don't employ an alias, nor do they brand their wares — very uncommon to see in ransomware gangland where reputation matters and self-promotion is rife.
The result is a malware strain that is open to interpretation in terms of who its operators are and where it fits in the ecosystem — hence the name.
“Just as a psychological Rorschach test looks different to each person, this new type of ransomware has high levels technically distinct features taken from different ransomware families — making it special and different from other ransomware families," says Sergey Shykevich, threat intelligence group manager at CPR.
The Frankenstein aspects present in the malware include:
- Autonomously carrying out tasks that are usually manual in ransomware strains, such as creating a domain group policy (LockBit 2.0);
- A hybrid-cryptography scheme that is the basis of its encryption speed (Babuk);
- Ransom notes that borrow heavily from previous ransomware families (DarkSide and Yanluowang);
- The list of services to be stopped in Rorschach's configuration (Babuk);
- The list of languages used to halt the malware (LockBit 2.0);
- And, the I/O Completion Ports method of thread (LockBit 2.0).
Rorschach's Unique Coding Elements
However, while it's a borrower, Rorschach also adds its own special sauce to the proceedings. For instance, CPR spotted it being deployed in the US using DLL side-loading and an older version of Palo Alto Networks' (PAN) Cortex XDR Dump Service Tool — something that PAN verified.
"Palo Alto Networks has verified that Cortex XDR 7.7, and newer versions, with content update version 240, and later content updates, detect and block the ransomware," according to an advisory PAN issued in tandem with CPR's research.
It also makes use of direct syscalls to silently inject malicious code into other processes, which CPR researchers called "startling," since the technique is extremely rare in the ransomware ecosystem.
"This technique is commonly used to evade behavioral detection by advanced and sophisticated malware, and is not commonly observed in ransomware," explains Shykevich. "Implementation of such mechanisms makes it much more difficult to detect the ransomware."
Also notable: It's partially autonomous, meaning that it can worm its way through an environment without user interaction.
"It spreads itself automatically when executed on a Domain Controller (DC), while it clears the event logs of the affected machines," according to the analysis. "In addition, it’s extremely flexible, operating not only based on a built-in configuration but also on numerous optional arguments which allow it to change its behavior according to the operator’s needs."
In all, Rorschach "raises the bar for ransom attacks," according to CPR researchers.
"This is the fastest and one of the most sophisticated ransomware we’ve seen so far," Shykevich says. "It speaks to the rapidly changing nature of cyberattacks and to the need for companies to deploy a prevention-first solution that can stop Rorschach from encrypting their data.”