Security researchers detected a previously unnamed ransomware strain, now dubbed Rorschach, in an attack against a US-based company.
What sets Rorschach ransomware apart from other strains is its high level of customization and technically unique features, making it one of the fastest ransomware strains ever observed in terms of encryption speed.
“Rorschach ransomware appears to be unique, sharing no overlaps that could easily attribute it to any known ransomware strain,” said the report by Check Point.
In addition, it does not bear any kind of branding which is a common practice among ransomware groups.
During the research, Rorschach ransomware was found to have an ‘unusual’ detection evading mechanism. Besides being customizable, Rorschach also performs tasks that other require manual execution including creating a Domain Group Policy (GPO).
The security researchers stated that Rorschach ransomware was the fastest encrypting malware due to its capability to implement itself using several methods.
Instead of the commonly used methods, the report revealed that the Rorschach ransomware was deployed using DLL side-loading of Palo Alto Network’s Cortex XDR Dump Service Tool, a signed commercial security product. This points at a new approach taken by cybercriminals to evade detection.
Fastest and one of the most sophisticated ransomware
Sergey Shykevich, Threat Intelligence Group Manager at Check Point Research highlighted how the technically distinct features in Rorschach ransomware taken from different ransomware families make it different.
Just as a psychological Rorschach test looks different to each person, this new type of ransomware has high levels of technically distinct features taken from different ransomware families – making it special and different from other ransomware families,” Shykevich told The Cyber Express.
“This is the fastest and one of the most sophisticated ransomware we have seen so far. It speaks to the rapidly changing nature of cyber attacks and the need for companies to deploy a prevention-first solution that can stop Rorschach from encrypting their data,” he added.
Rorschach ransomware explained
The partly autonomous Rorschach ransomware was found spreading upon execution on a Domain Controller that moves laterally on other machines within the domain.
Execution of the Rorschach ransomware (Photo: Check Point)
The Rorschach ransomware holds three files. Cy.exe to side-load winutils.dll, winutils.dll which is its loader that decrypts the files, and config.ini which holds the logic and configuration.
Rorschach ransomware was loaded using a DLL side-loading attack of a Cortex XDR Dump Service Tool which is not commonly used for ransomware.
This suggests that developers of the Rorschach ransomware were attempting to devise a sophisticated tool that evades detection as it is a signed security product that could confuse the victim and experts.
A DLL side-loading attack starts by searching in Windows and then employing a legitimate application to execute the payload. It helps in maintaining persistence, and evading detection to some extent.
Encryption details of the Rorschach ransomware
The hybrid-cryptography encryption scheme of the Rorschach ransomware targets specific files directed by the hacker. It generates a per-victim private key in the form of cryptographically random bytes using the WinAPI CryptGenRandom.
- The Rorschach injector was protected with UPX-style packing which depends on manual unpacking.
- Rorschach injects into notepad.exe while being guarded by VMProtect which obfuscates its coding.
- Rorschach payload makes syscall or direct system calls which are unlike most ransomware however is found in other malware. It finds the syscall numbers for NT APIs, stores them in a table, and calls a stub routine. This obfuscated process further helps it in evading detection.
- Its hardcoded configuration with built-in options was obfuscated and was accessible only through reverse engineering.
- Some arguments of the Rorschach ransomware were -nomail that would skip creating a ransom note, -at that would set a trigger time slot, -nobk to keep the device wallpaper as is, and -path for encrypting selected paths.
The extra speed of encryption by the Rorschach ransomware is attributed to the implementation of threat scheduling using I/O completion ports.
It was concluded after several red-teaming efforts that while LockBit v.3 took 7 minutes, Rorschach ransomware took approximately 4 minutes and 30 seconds to encrypt files.
Steps followed before encryption
The two system checks followed by the payload before encrypting were GetSystemDefaultUILanguage and GetUserDefaultUILanguage.
The checks searched for the language set by the user. Rorschach ransomware would cease if the language was used by CIS countries. Some of them were :
- Armenian
- Georgian
- Russian
- Ukrainian
- Belarusian
Similarities between the Rorschach and other ransomware
The Rorschach ransomware has not been associated with a cybercriminal group so far. However, several similarities have been found between Rorschach and other ransomware.
The details of the ransom note found a resemblance to the ransom notes by Yanluowang and DarkSide.
“The ransomware note sent out to the victim was formatted similarly to Yanluowang ransomware notes, although other variants dropped a note that more closely resembled DarkSide ransomware notes (causing some to mistakenly refer to it as DarkSide),” stated the report.
The autonomous execution of the Rorschach ransomware on a Windows domain controller had similarities to that of LockBit 2.0 ransomware.
The hybrid-cryptography scheme of Rorschach bore similarities with Babuk ransomware. It is suspected that the coding for the same along with that of stopping specific processes was taken from Babuk.
Moreover, LockBit’s Russian language used for lists to stop the malware was seen in Rorschach ransomware as well.
The Rorschach personality test
The name Rorschach, researchers reckoned bore semblance to the Rorschach psychological test which involves connecting dots using interpretations and algorithms.
“Each person who examined the ransomware saw something a little bit different, prompting us to name it after the famous psychological test – Rorschach Ransomware,” stated the report.
