Following a cyberattack on a U.S.-based company, malware researchers discovered what appears to be a new ransomware strain with “technically unique features,” which they named Rorschach.
Among the capabilities observed is the encryption speed, which, according to tests from the researchers, would make Rorschach the fastest ransomware threat today.
The analysts found that the hackers deployed the malware on the victim network after leveraging a weakness in a threat detection and incident response tool.
Researchers at cybersecurity company Check Point, responding to an incident at a company in the U.S., found that Rorschach was deployed using the DLL side-loading technique via a signed component in Cortex XDR, the extended detection and response product from Palo Alto Networks.
The attacker used the Cortex XDR Dump Service Tool (cy.exe) version 126.96.36.19940 to sideload the Rorschach loader and injector (winutils.dll), which lead to launching the ransomware payload, “config.ini,” into a a Notepad process.
The loader file features UPX-style anti-analysis protection, while the main payload is protected against reverse engineering and detection by virtualizing parts of the code using the VMProtect software.
Check Point reports that Rorschach creates a Group Policy when executed on a Windows Domain Controller to propagate to other hosts on the domain.
After compromising a machine, the malware erases four event logs (Application, Security, System and Windows Powershell) to wipe its trace.
While it comes with hardcoded configuration, Rorschach supports command-line arguments that expand functionality.
Check Point notes that the options are hidden and can’t be accessed without reverse engineering the malware.
Rorschach’s encryption process
Rorschach will start encrypting data only if the victim machine is configured with a language outside the Commonwealth of Independent States (CIS).
The encryption scheme blends the curve25519 and eSTREAM cipher hc-128 algorithms and follows the intermittent encryption trend, meaning that it encrypts the files only partially, lending it increased processing speed.
The researchers note that Rorschach’s encryption routine indicates “a highly effective implementation of thread scheduling via I/O completion ports.”
“In addition, it appears that compiler optimization is prioritized for speed, with much of the code being inlined. All of these factors make us believe that we may be dealing with one of the fastest ransomware out there.” – Check Point
To find how fast Rorschach’s encryption is, Check Point set up a test with 220,000 files on a 6-core CPU machine.
It took Rorschach 4.5 minutes to encrypt the data, whereas LockBit v3.0, considered the fastest ransomware strain, finished in 7 minutes.
After locking the system, the malware drops a ransom note similar to the format used by the Yanlowang ransomware.
According to the researchers, a previous version of malware used a ransom note similar to what DarkSide used.
Check Point says that this similarity is likely what caused other researchers to mistake a different version of Rorschach with DarkSide, an operation that rebranded to BlackMatter in 2021, and disappeared the same year.
BlackMatter’s members alter formed the ALPHV/BlackCat ransomware operation that launched in November 2021.
Check Point assesses that Rorschach has implemented the better features from some of the leading ransomware strains leaked online (Babuk, LockBit v2.0, DarkSide).
Along with the self-propagating capabilities, the malware “raises the bar for ransom attacks.”
At the moment the operators of the Rorschach ransomware remain unknown and there is no branding, something that is rarely seen on the ransomware scene.