cybersecurity experts have unveiled a previously unknown and highly sophisticated ransomware variant, Rorschach, which is both advanced and swift. Rorschach ransomware distinguishes itself from other strains with its exceptional customization and unique technical features not previously seen in ransomware, according to a report by Check Point Research. In fact, Rorschach is considered one of the fastest encrypting ransomware strains ever observed.
The cybersecurity company discovered the ransomware deployed against an unnamed U.S.-based business, noting no apparent connections to any known ransomware actors. Nevertheless, a deeper examination of Rorschach’s source code reveals similarities to Babuk ransomware and LockBit 2.0, while the ransom notes sent to victims appear to be inspired by Yanluowang and DarkSide.
Rorschach ransomware’s most notable aspect is the use of a technique called DLL side-loading to load the ransomware payload, a method previously unobserved in such attacks. This development signifies a new level of sophistication in the tactics employed by financially motivated groups to avoid detection.
The ransomware is reportedly deployed by abusing Palo Alto Network’s Cortex XDR Dump Service Tool (cy.exe) to sideload a library called “winutils.dll.” Another distinct characteristic is its highly customizable nature and the use of direct syscalls to manipulate files and bypass defense mechanisms.
Rorschach ransomware is also responsible for terminating a predefined list of services, deleting shadow volumes and backups, clearing Windows event logs to erase forensic trails, disabling the Windows firewall, and even self-deleting after completing its actions.
Researchers from Check Point and South Korean cybersecurity firm AhnLab, which mistakenly attributed the infection chain to DarkSide in February, report that internal propagation is achieved by compromising the domain controller and creating a group policy. Like other malware strains observed in the wild, Rorschach ransomware avoids machines located in the Commonwealth of Independent States (CIS) countries by checking the system language.
Rorschach ransomware employs an efficient and fast hybrid-cryptography scheme, combining curve25519 and eSTREAM cipher hc-128 algorithms for encryption purposes, according to researchers Jiri Vinopal, Dennis Yarizadeh, and Gil Gekker. The encryption process targets specific portions of file content rather than the entire file and employs additional compiler optimization methods, making it a “speed demon.”
In five separate tests conducted by Check Point in a controlled environment, Rorschach encrypted 220,000 files within an average of four minutes and 30 seconds, while LockBit 3.0 took around seven minutes. The researchers highlighted that Rorschach’s developers implemented new anti-analysis and defense evasion techniques to avoid detection and make it more challenging for security software and researchers to analyze and mitigate its effects.
The findings coincide with Fortinet FortiGuard Labs’ details on two emerging ransomware families, PayMe100USD, a Python-based file-locking malware, and Dark Power, written in the Nim programming language.
