Researchers at cybersecurity firm Check Point have discovered a new strain of ransomware that they have named Rorschach, which they believe to be the fastest threat of its kind currently active. Check Point found that Rorschach was deployed via a signed component in the Cortex XDR threat detection and incident response tool from Palo Alto Networks, using a DLL side-loading technique.
After compromising a machine, the malware erases four event logs to remove its trace, and it creates a Group Policy when executed on a Windows Domain Controller to propagate to other hosts on the domain.
The encryption scheme of Rorschach blends the curve25519 and eSTREAM cipher hc-128 algorithms and follows the intermittent encryption trend, meaning that it encrypts the files only partially, lending it increased processing speed.
Check Point reports that Rorschach has technically unique features and a highly effective implementation of thread scheduling via I/O completion ports. The loader file features UPX-style anti-analysis protection, while the main payload is protected against reverse engineering and detection by virtualizing parts of the code using the VMProtect software.
Rorschach supports command-line arguments that expand functionality, but these are hidden and cannot be accessed without reverse engineering the malware.
The ransomware’s operators have not been identified, and there is no branding, a rarity in the ransomware scene.
Check Point believes that Rorschach has implemented the better features from some of the leading ransomware strains leaked online, including Babuk, LockBit v2.0, and DarkSide, and that the malware’s self-propagating capabilities raise the bar for ransom attacks. The similarities between Rorschach’s ransom note and that used by Yanlowang and DarkSide have caused confusion in the past, with a different version of Rorschach being mistaken for DarkSide.
