Rorschach Ransomware Emerges: Experts Warn of Advanced Evasion Strategies

Cybersecurity researchers have taken the wraps off a previously undocumented ransomware strain called Rorschach that’s both sophisticated and fast.

“What makes Rorschach stand out from other ransomware strains is its high level of customization and its technically unique features that have not been seen before in ransomware,” Check Point Research said in a new report. “In fact, Rorschach is one of the fastest ransomware strains ever observed, in terms of the speed of its encryption.”

The cybersecurity firm said it observed the ransomware deployed against an unnamed U.S.-based company, adding it found no branding or overlaps that connect it to any previously known ransomware actors.

However, further analysis of Rorschach’s source code reveals similarities to Babuk ransomware, which suffered a leak in September 2021, and LockBit 2.0. On top of that, the ransom notes sent out to the victims appear to be inspired by that of Yanluowang and DarkSide.

The most significant aspect of the intrusion is the use of a technique called DLL side-loading to load the ransomware payload, a method not observed in such attacks. The development marks a new sophistication in the approaches adopted by financially motivated groups to sidestep detection.

Specifically, the ransomware is said to have been deployed by abusing Palo Alto Network’s Cortex XDR Dump Service Tool (cy.exe) to sideload a library named “winutils.dll.”

Another unique characteristic is its highly customizable nature and the use of direct syscalls to manipulate files and bypass defense mechanisms.

Rorschach ransomware is also tasked with terminating a predefined list of services, deleting shadow volumes and backups, clearing Windows events logs to erase forensic trail, disabling the Windows firewall, and even deleting itself after completing its actions.

Internal propagation is achieved by compromising the domain controller and creating a group policy, according to Check Point and South Korean cybersecurity company AhnLab, which erroneously attributed the infection chain to DarkSide earlier this February.

The ransomware, like other malware strains observed in the wild, skips machines that are located in the Commonwealth of Independent States (CIS) countries by checking the system language.

“The Rorschach ransomware employs a highly effective and fast hybrid-cryptography scheme, which blends the curve25519 and eSTREAM cipher hc-128 algorithms for encryption purposes,” researchers Jiri Vinopal, Dennis Yarizadeh, and Gil Gekker explained.

This process is designed to only encrypt a specific portion of the original file content instead of the entire file, and employs additional compiler optimization methods that make it a “speed demon.”

In five separate tests carried out by Check Point in a controlled environment, 220,000 files were encrypted using Rorschach within four minutes and 30 seconds on average. LockBit 3.0, on the other hand, took approximately seven minutes.

“Its developers implemented new anti-analysis and defense evasion techniques to avoid detection and make it more difficult for security software and researchers to analyze and mitigate its effects,” the researchers said.

“Additionally, Rorschach appears to have taken some of the ‘best’ features from some of the leading ransomwares leaked online, and integrated them all together. In addition to Rorschach’s self-propagating capabilities, this raises the bar for ransom attacks.”

The findings come as the Fortinet FortiGuard Labs detailed two emerging ransomware families called PayMe100USD, a Python-based file-locking malware, and Dark Power, which is written in the Nim programming language.