A new strain of ransomware called ‘Rorschach’ has been uncovered by researchers, who found that it is one of the quickest ransomware strains ever to be detected in the wild. Rorschach surpasses the previous record holder, LockBit v3.0, in terms of speed, taking almost half the time required by LockBit to encrypt the same amount of data.
This makes Rorschach a formidable threat because the faster the encryption is, the less time defenders have to detect the attack and respond to the situation, increasing the likelihood of significant damage being done to the targeted network.
The researchers who discovered Rorschach, Check Point’s incident response team, noted that this new ransomware is based on past strains like LockBit v2.0, Babuk, and DarkSide, but it also includes functions like semi-automated propagation, which set it apart from any known strains.
During an attack observed by Check Point on one of its US-based clients, Rorschach was deployed using a digitally-signed component of a commercial security product called Cortex XDR to infiltrate the target without raising any alarms. Rorschach’s loader file features UPX-style anti-analysis protection, and its main payload is protected by VMProtect, making it difficult to analyze. This level of obfuscation is unusual for ransomware.
Rorschach spreads automatically to connected systems when executed on a Windows Domain Controller, creating a Group Policy on its own. To thwart analysis, it erases all event logs on the compromised devices without requiring manual intervention or action from its operators.
The ransomware employs a highly effective and fast hybrid-cryptography scheme, which blends curve25519 and eSTREAM cipher hc-128 algorithms for encryption. Also, the payload is compiled with optimizations that favor speed and code inlining as much as possible, indicating that its authors were very deliberate in their work.
It is also worth noting that Rorschach follows the intermittent encryption tactic, which means that it encrypts only a part of the enumerated files, rendering them unusable while completing the encryption jobs a lot quicker. This is a dubious approach that sometimes makes decryption by data recovery experts easier, although this is not always easy or possible.
In Check Point’s encryption speed comparison tests, Rorschach could encrypt 220,000 files on a 6-core CPU machine with 8 GBs of RAM in just 4.5 minutes, whereas LockBit v3.0 took 7 minutes.
Another notable aspect of the strain’s functions is its support for multiple command-line arguments that can be pre-configured by the operators, allowing them to reach a level of flexibility, adjusting the attacks to the targeted systems. These arguments include setting the number of CPU threads, skip shares, point to specific configuration files, and define an activation time.
The emergence of Rorschach highlights the need for increased protection measures, as it is a highly sophisticated, fast, and stealthy ransomware. MonsterCloud monitors this new threat closely and documents the tactics and techniques used by the threat actor to incorporate them into our proactive defense advice to customers. Moreover, we are analyzing the available samples and working closely with our specialist partners to identify potential weaknesses in the strain’s encryption scheme that could help in data restoration.