Rorschach Ransomware: Record-Breaking Encryption Speeds In Latest Threat Emergence

Key Highlights

• Rorschach ransomware can encrypt files on targeted systems in just 4 minutes and 30 seconds, setting a new record for encryption speed.
• It employs a combination of highly sophisticated techniques, including self-propagating capabilities, to make a recovery difficult for organizations.

A new sophisticated and fast ransomware family named Rorschach ransomware has recently emerged in the threat landscape. This ransomware was first deployed against a US based company and could encrypt files on targeted systems with an encryption speed of just four minutes and thirty seconds.

Attack Campaign and Customization

Ransomware attacks using Rorschach have been reported in Asia, Europe, and the Middle East. Rorschach is a highly customizable ransomware that uses direct syscalls, a rare feature in ransomware. The ransomware is deployed by exploiting the DLL side-loading vulnerability in the Cortex XDR Dump Service tool.

It is believed that Rorschach is derived from the leaked source code of Babuk ransomware and takes inspiration from some features of LockBit 2.0 ransomware.

Modus Operandi

The modus operandi of the Rorschach ransomware involves advanced techniques to make a recovery difficult and propagate the malware to other machines within a network.

1. Rorschach ransomware stops a predefined list of services upon execution.
2. It deletes shadow volumes and backups using legitimate Windows tools to hinder recovery.
3. When executed on a Windows Domain Controller, it creates a Group Policy to propagate to other machines within the domain.
4. Rorschach uses the curve25519 and eSTREAM cipher hc-128 algorithms to encrypt files.

Want to know about Introducing ChatGPT?

Although the operators responsible for the Rorschach ransomware are unidentified, organizations can use the IOCs linked to the ransomware to comprehend its attack behavior.

Another new ransomware dubbed PayMe100USD has also emerged in the crimeware landscape.

• The ransomware is written in Python and distributed via fake Bing installers.
• Once executed, it encrypts files in the D, E, and F drives and the user directory in the C drive.
• After encryption, it drops eight ransom notes, labeled ‘PayMe 1.txt’ to ‘PayMe 8.txt.’
• The ransomware demands a payment of $100 worth of Bitcoin within 48 hours to recover the affected files.

Threat actors behind the RR have implemented self-propagating capabilities that raise the bar for ransom attacks. Organizations must be vigilant and adopt best security practices to prevent ransomware attacks.