Mysterious 'Rorschach' Ransomware Doubles Known Encryption SpeedsMysterious 'Rorschach' Ransomware Doubles Known Encryption Speeds
The malware is one of the most sophisticated ransomwares ever seen in the wild, and marks a leap ahead for cybercrime.
April 4, 2023
What might be the fastest-ever ransomware encryption binary has been spotted in the wild, locking up systems at nearly twice the speed of the notorious LockBit 3.0 malware.
According to speed tests by Check Point Research (CPR), the new baddie on the scene, dubbed "Rorschach," can encrypt 220,000 local drive files in just four and a half minutes. For comparison, LockBit 3.0 accomplished the task in seven minutes, and it's far, far faster than the median encryption time determined in testing last year.
"What's even more noteworthy is that the Rorschach ransomware is highly customizable. By adjusting the number of encryption threads via the command line argument, it can achieve even faster times," according to CPR research issued April 4.
A Patchwork of the Best Ransomware Techniques
Aside from its concerning efficiency, Rorschach is notable because it contains publicly known elements cribbed from leaked source code from other ransomware strains. And interestingly, the operators behind Rorschach don't employ an alias, nor do they brand their wares — very uncommon to see in ransomware gangland where reputation matters and self-promotion is rife.
The result is a malware strain that is open to interpretation in terms of who its operators are and where it fits in the ecosystem — hence the name.
“Just as a psychological Rorschach test looks different to each person, this new type of ransomware has high levels technically distinct features taken from different ransomware families — making it special and different from other ransomware families," says Sergey Shykevich, threat intelligence group manager at CPR.
The Frankenstein aspects present in the malware include:
Autonomously carrying out tasks that are usually manual in ransomware strains, such as creating a domain group policy (LockBit 2.0);
A hybrid-cryptography scheme that is the basis of its encryption speed (Babuk);
The list of services to be stopped in Rorschach's configuration (Babuk);
The list of languages used to halt the malware (LockBit 2.0);
And, the I/O Completion Ports method of thread (LockBit 2.0).
Rorschach's Unique Coding Elements
However, while it's a borrower, Rorschach also adds its own special sauce to the proceedings. For instance, CPR spotted it being deployed in the US using DLL side-loading and an older version of Palo Alto Networks' (PAN) Cortex XDR Dump Service Tool — something that PAN verified.
"Palo Alto Networks has verified that Cortex XDR 7.7, and newer versions, with content update version 240, and later content updates, detect and block the ransomware," according to an advisory PAN issued in tandem with CPR's research.
It also makes use of direct syscalls to silently inject malicious code into other processes, which CPR researchers called "startling," since the technique is extremely rare in the ransomware ecosystem.
"This technique is commonly used to evade behavioral detection by advanced and sophisticated malware, and is not commonly observed in ransomware," explains Shykevich. "Implementation of such mechanisms makes it much more difficult to detect the ransomware."
Also notable: It's partially autonomous, meaning that it can worm its way through an environment without user interaction.
"It spreads itself automatically when executed on a Domain Controller (DC), while it clears the event logs of the affected machines," according to the analysis. "In addition, it’s extremely flexible, operating not only based on a built-in configuration but also on numerous optional arguments which allow it to change its behavior according to the operator’s needs."
In all, Rorschach "raises the bar for ransom attacks," according to CPR researchers.
"This is the fastest and one of the most sophisticated ransomware we’ve seen so far," Shykevich says. "It speaks to the rapidly changing nature of cyberattacks and to the need for companies to deploy a prevention-first solution that can stop Rorschach from encrypting their data.”
About the Author(s)
You May Also Like
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Get the Gartner Report: SOC Model Guide
Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting Your Organization
Building Immunity: The 2021 Healthcare and Pharmaceutical Industry Cyber Threat Landscape Report