#1 Trending Cyber Security News & Magazine
Thursday, June 8, 2023
No Result
View All Result
The Cyber Express
  • MagazineDownload
  • Firewall Daily
    • All
    • Dark Web News
    • Data Breach News
    • Hacking News
    • Ransomware News
    • Vulnerabilities
    Longhorn Cyber Attack

    Longhorn Cyber Attack Puts Data of 28000 Patients at Risk

    Thai Meteorological Department Cyber Attack

    Thai Meteorological Department Cyber Attack, LockBit Sets Deadline

    Lockbit Ransomware

    Cross City Tunnel and 23 New Victims: Lockbit Ransomware Gang Goes on a Hacking Spree

    MOVEit Data Leak

    Cl0p Ransomware Extends MOVEit Data Leak Deadline to June 14

    OpenAI Cyber Attack

    OpenAI Cyber Attack: Anonymous Sudan Claims to Carry ‘Test Attack’ on ChatGPT Creator

    HelloTeacher malware

    HelloTeacher Malware Impersonates Messaging Apps to Target Vietnamese Users

    MOVEit Vulnerability

    MOVEit Vulnerability Hits British Airways, BBC And More; Cl0p Ransomware Claims Attacks

    Adstra Cyber Attack

    LockBit Ransomware Group Claims Responsibility of Adstra Cyber Attack

    SEC charges Binance

    SEC Charges Binance and Founder Changpeng Zhao with 13 Violations

    Trending Tags

    • blackbyte ransomware
    • Ransomware
    • lapsus$ ransomware
    • Apple
    • Apple vulnerability
  • Essentials
    • All
    • Compliance
    • Governance
    • Policy Updates
    • Regulations
    Martin Sloan, Five Years Of GDPR

    Five Years of GDPR: There is a Long Way to Run on Cross-Border Data Transfers

    Nokoyawa Ransomware Group

    All You Need to Know About The Nokoyawa Ransomware Group

    StopRansomware Guide

    Updated StopRansomware Guide Warns of Ransomware’s Shape Shifting Tactics

    Microsoft Entra

    Microsoft Build 2023: Microsoft Entra Introduced With New Identity and Access Features

    Data Protection Commission

    Irish Data Protection Commission imposes $1.3bn Fine on Meta

    US Police Auction Seized Cell Phones Without Wiping Data, Sparks Privacy Concerns

    US Police Auction Seized Cell Phones Without Wiping Data, Sparks Privacy Concerns

    disclosing cybersecurity incidents

    Why Victims Fail to Disclose Cybersecurity Incidents, And Why They Should

    Stakeholder Communication During Crisis

    Stakeholder Communication During Crisis: How to Get It Right

    Government Regulation of AI businesses

    Government Regulation of AI businesses: UK Competition Watchdog Launches Review

    • Regulations
    • Compliance
    • Governance
    • Policy Updates
  • Features
    • Cyber Warfare
    • Espionage
    • Workforce
      • Learning & Development
  • Business
    • All
    • Appointments
    • Budgets
    • Mergers & Aquisitions
    • Partnerships
    • Press Release
    • Startups
    Billtrust Appoints Ankur Ahuja

    Billtrust Appoints Ankur Ahuja as SVP and Chief Information Security Officer

    Cybertech Africa

    Cybertech Africa: The Pan-African Event for Innovation and Networking

    IBM Acquired Polar Security

    IBM Acquires Polar Security Reportedly For $60 Million

    World CyberCon Middle East 2023

    World CyberCon Middle East 2023: The Premier Cybersecurity Conference in the Region

    ODIN by Cyble

    Cyble Launches ODIN: A Revolutionary Tool for Unparalleled Internet Exploration

    cybersecurity investments

    Cybersecurity Investments Up in April, Market Watchers Predict Growth of Over $700 billion

    OilRig APT

    Experts Warn of Increased IT Supply Chain Attacks by OilRig APT in Middle East

    World Password Day 2023

    World Password Day 2023: Protect Your Password, Create an Unbreakable One

    national cybersecurity strategy

    US National Cybersecurity Strategy: Businesses, Let’s Start with Disclosure!

    • Startups
    • Mergers & Aquisitions
    • Partnerships
    • Appointments
    • Budgets
    • Research
      • Whitepapers
      • Sponsored Content
      • Market Reports
    • Interviews
      • Podcast
  • EventsCyberCon
    • World CyberCon Middle East 2023
    •  Cyber Security Webinar
    • Endorsed Events
  • ProductsTools
    • Cyble Vision
    • Cyble Hawk (LEA, Govt.)
    • Am I Breached
    • Cyble Odin (Beta)
SUBSCRIBE
  • MagazineDownload
  • Firewall Daily
    • All
    • Dark Web News
    • Data Breach News
    • Hacking News
    • Ransomware News
    • Vulnerabilities
    Longhorn Cyber Attack

    Longhorn Cyber Attack Puts Data of 28000 Patients at Risk

    Thai Meteorological Department Cyber Attack

    Thai Meteorological Department Cyber Attack, LockBit Sets Deadline

    Lockbit Ransomware

    Cross City Tunnel and 23 New Victims: Lockbit Ransomware Gang Goes on a Hacking Spree

    MOVEit Data Leak

    Cl0p Ransomware Extends MOVEit Data Leak Deadline to June 14

    OpenAI Cyber Attack

    OpenAI Cyber Attack: Anonymous Sudan Claims to Carry ‘Test Attack’ on ChatGPT Creator

    HelloTeacher malware

    HelloTeacher Malware Impersonates Messaging Apps to Target Vietnamese Users

    MOVEit Vulnerability

    MOVEit Vulnerability Hits British Airways, BBC And More; Cl0p Ransomware Claims Attacks

    Adstra Cyber Attack

    LockBit Ransomware Group Claims Responsibility of Adstra Cyber Attack

    SEC charges Binance

    SEC Charges Binance and Founder Changpeng Zhao with 13 Violations

    Trending Tags

    • blackbyte ransomware
    • Ransomware
    • lapsus$ ransomware
    • Apple
    • Apple vulnerability
  • Essentials
    • All
    • Compliance
    • Governance
    • Policy Updates
    • Regulations
    Martin Sloan, Five Years Of GDPR

    Five Years of GDPR: There is a Long Way to Run on Cross-Border Data Transfers

    Nokoyawa Ransomware Group

    All You Need to Know About The Nokoyawa Ransomware Group

    StopRansomware Guide

    Updated StopRansomware Guide Warns of Ransomware’s Shape Shifting Tactics

    Microsoft Entra

    Microsoft Build 2023: Microsoft Entra Introduced With New Identity and Access Features

    Data Protection Commission

    Irish Data Protection Commission imposes $1.3bn Fine on Meta

    US Police Auction Seized Cell Phones Without Wiping Data, Sparks Privacy Concerns

    US Police Auction Seized Cell Phones Without Wiping Data, Sparks Privacy Concerns

    disclosing cybersecurity incidents

    Why Victims Fail to Disclose Cybersecurity Incidents, And Why They Should

    Stakeholder Communication During Crisis

    Stakeholder Communication During Crisis: How to Get It Right

    Government Regulation of AI businesses

    Government Regulation of AI businesses: UK Competition Watchdog Launches Review

    • Regulations
    • Compliance
    • Governance
    • Policy Updates
  • Features
    • Cyber Warfare
    • Espionage
    • Workforce
      • Learning & Development
  • Business
    • All
    • Appointments
    • Budgets
    • Mergers & Aquisitions
    • Partnerships
    • Press Release
    • Startups
    Billtrust Appoints Ankur Ahuja

    Billtrust Appoints Ankur Ahuja as SVP and Chief Information Security Officer

    Cybertech Africa

    Cybertech Africa: The Pan-African Event for Innovation and Networking

    IBM Acquired Polar Security

    IBM Acquires Polar Security Reportedly For $60 Million

    World CyberCon Middle East 2023

    World CyberCon Middle East 2023: The Premier Cybersecurity Conference in the Region

    ODIN by Cyble

    Cyble Launches ODIN: A Revolutionary Tool for Unparalleled Internet Exploration

    cybersecurity investments

    Cybersecurity Investments Up in April, Market Watchers Predict Growth of Over $700 billion

    OilRig APT

    Experts Warn of Increased IT Supply Chain Attacks by OilRig APT in Middle East

    World Password Day 2023

    World Password Day 2023: Protect Your Password, Create an Unbreakable One

    national cybersecurity strategy

    US National Cybersecurity Strategy: Businesses, Let’s Start with Disclosure!

    • Startups
    • Mergers & Aquisitions
    • Partnerships
    • Appointments
    • Budgets
    • Research
      • Whitepapers
      • Sponsored Content
      • Market Reports
    • Interviews
      • Podcast
  • EventsCyberCon
    • World CyberCon Middle East 2023
    •  Cyber Security Webinar
    • Endorsed Events
  • ProductsTools
    • Cyble Vision
    • Cyble Hawk (LEA, Govt.)
    • Am I Breached
    • Cyble Odin (Beta)
No Result
View All Result
The Cyber Express
No Result
View All Result
Home Firewall Daily

Fastest Ever: Rorschach Ransomware Encrypts in Less Than 5 Minutes

The partly autonomous Rorschach ransomware was found spreading upon execution on a Domain Controller that moves laterally on other machines within the domain

Editorial by Editorial
April 6, 2023
in Firewall Daily, Ransomware News
0
Rorschach Ransomware
598
SHARES
3.3k
VIEWS
Share on LinkedInShare on Twitter

Security researchers detected a previously unnamed ransomware strain, now dubbed Rorschach, in an attack against a US-based company.

What sets Rorschach ransomware apart from other strains is its high level of customization and technically unique features, making it one of the fastest ransomware strains ever observed in terms of encryption speed.

You might also like

Longhorn Cyber Attack Puts Data of 28000 Patients at Risk

Thai Meteorological Department Cyber Attack, LockBit Sets Deadline

Cross City Tunnel and 23 New Victims: Lockbit Ransomware Gang Goes on a Hacking Spree

“Rorschach ransomware appears to be unique, sharing no overlaps that could easily attribute it to any known ransomware strain,” said the report by Check Point.

In addition, it does not bear any kind of branding which is a common practice among ransomware groups.

During the research, Rorschach ransomware was found to have an ‘unusual’ detection evading mechanism. Besides being customizable, Rorschach also performs tasks that other require manual execution including creating a Domain Group Policy (GPO).

The security researchers stated that Rorschach ransomware was the fastest encrypting malware due to its capability to implement itself using several methods.

Instead of the commonly used methods, the report revealed that the Rorschach ransomware was deployed using DLL side-loading of Palo Alto Network’s Cortex XDR Dump Service Tool, a signed commercial security product. This points at a new approach taken by cybercriminals to evade detection.

Fastest and one of the most sophisticated ransomware

Sergey Shykevich, Threat Intelligence Group Manager at Check Point Research highlighted how the technically distinct features in Rorschach ransomware taken from different ransomware families make it different.

Just as a psychological Rorschach test looks different to each person, this new type of ransomware has high levels of technically distinct features taken from different ransomware families – making it special and different from other ransomware families,”  Shykevich told The Cyber Express.

“This is the fastest and one of the most sophisticated ransomware we have seen so far. It speaks to the rapidly changing nature of cyber attacks and the need for companies to deploy a prevention-first solution that can stop Rorschach from encrypting their data,” he added.

Rorschach ransomware explained

The partly autonomous Rorschach ransomware was found spreading upon execution on a Domain Controller that moves laterally on other machines within the domain.

Rorschach Ransomware

Execution of the Rorschach ransomware (Photo: Check Point)

The Rorschach ransomware holds three files. Cy.exe to side-load winutils.dll, winutils.dll which is its loader that decrypts the files, and config.ini which holds the logic and configuration.

Rorschach ransomware was loaded using a DLL side-loading attack of a Cortex XDR Dump Service Tool which is not commonly used for ransomware.

This suggests that developers of the Rorschach ransomware were attempting to devise a sophisticated tool that evades detection as it is a signed security product that could confuse the victim and experts.

A DLL side-loading attack starts by searching in Windows and then employing a legitimate application to execute the payload. It helps in maintaining persistence, and evading detection to some extent.

Encryption details of the Rorschach ransomware

The hybrid-cryptography encryption scheme of the Rorschach ransomware targets specific files directed by the hacker. It generates a per-victim private key in the form of cryptographically random bytes using the WinAPI CryptGenRandom.

  1. The Rorschach injector was protected with UPX-style packing which depends on manual unpacking.
  2. Rorschach injects into notepad.exe while being guarded by VMProtect which obfuscates its coding.
  3. Rorschach payload makes syscall or direct system calls which are unlike most ransomware however is found in other malware. It finds the syscall numbers for NT APIs, stores them in a table, and calls a stub routine. This obfuscated process further helps it in evading detection.
  4. Its hardcoded configuration with built-in options was obfuscated and was accessible only through reverse engineering.
  5. Some arguments of the Rorschach ransomware were -nomail that would skip creating a ransom note, -at that would set a trigger time slot, -nobk to keep the device wallpaper as is, and -path for encrypting selected paths.

The extra speed of encryption by the Rorschach ransomware is attributed to the implementation of threat scheduling using I/O completion ports.

It was concluded after several red-teaming efforts that while LockBit v.3 took 7 minutes, Rorschach ransomware took approximately 4 minutes and 30 seconds to encrypt files.

Steps followed before encryption

The two system checks followed by the payload before encrypting were GetSystemDefaultUILanguage and GetUserDefaultUILanguage.

The checks searched for the language set by the user. Rorschach ransomware would cease if the language was used by CIS countries. Some of them were :

  1. Armenian
  2. Georgian
  3. Russian
  4. Ukrainian
  5. Belarusian

Similarities between the Rorschach and other ransomware

The Rorschach ransomware has not been associated with a cybercriminal group so far. However, several similarities have been found between Rorschach and other ransomware.

Rorschach Ransomware
The report noted that the ransomware note sent out to the victim was similarly to Yanluowang ransomware notes. However, other variants dropped a note similar to that of DarkSide ransomware notes.

The details of the ransom note found a resemblance to the ransom notes by Yanluowang and DarkSide.

“The ransomware note sent out to the victim was formatted similarly to Yanluowang ransomware notes, although other variants dropped a note that more closely resembled DarkSide ransomware notes (causing some to mistakenly refer to it as DarkSide),” stated the report.

The autonomous execution of the Rorschach ransomware on a Windows domain controller had similarities to that of LockBit 2.0 ransomware.

The hybrid-cryptography scheme of Rorschach bore similarities with Babuk ransomware. It is suspected that the coding for the same along with that of stopping specific processes was taken from Babuk.

Moreover, LockBit’s Russian language used for lists to stop the malware was seen in Rorschach ransomware as well.

The Rorschach personality test

The name Rorschach, researchers reckoned bore semblance to the Rorschach psychological test which involves connecting dots using interpretations and algorithms.

“Each person who examined the ransomware saw something a little bit different, prompting us to name it after the famous psychological test – Rorschach Ransomware,” stated the report.

Share this:

  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • More
  • Click to email a link to a friend (Opens in new window)
  • Click to share on WhatsApp (Opens in new window)

Related

Tags: Check Point Researchfastest encryptionnew ransomwareRorschach ransomwareThe Cyber ExpressThe Cyber Express News
Previous Post

LockBit Claims the Olympia Community Unified School District Cyberattack

Next Post

Hard Times for Diamonds: ALPHV Ransomware Hits De Beers Sightholder Dalumi Group

Editorial

Editorial

The Cyber Express is a publication that aims to provide the latest news and analysis about the information security industry. The news comes from a variety of sources and is updated regularly so that readers can stay up to date with the latest happenings in this rapidly growing field.

Related Posts

Longhorn Cyber Attack
Firewall Daily

Longhorn Cyber Attack Puts Data of 28000 Patients at Risk

by Ashish Khaitan
June 7, 2023
Thai Meteorological Department Cyber Attack
Firewall Daily

Thai Meteorological Department Cyber Attack, LockBit Sets Deadline

by Vishwa Pandagle
June 7, 2023
Lockbit Ransomware
Dark Web News

Cross City Tunnel and 23 New Victims: Lockbit Ransomware Gang Goes on a Hacking Spree

by Ashish Khaitan
June 7, 2023
MOVEit Data Leak
Firewall Daily

Cl0p Ransomware Extends MOVEit Data Leak Deadline to June 14

by Vishwa Pandagle
June 7, 2023
OpenAI Cyber Attack
DDoS Attacks News

OpenAI Cyber Attack: Anonymous Sudan Claims to Carry ‘Test Attack’ on ChatGPT Creator

by Vishwa Pandagle
June 7, 2023
Next Post
Dalumi Group cyber attack

Hard Times for Diamonds: ALPHV Ransomware Hits De Beers Sightholder Dalumi Group

Latest Issue is Out. Subscribe Now

Cyber express

CRIL


Follow Us On Google News

Never miss an update. Subscribe!

* indicates required

mailchimp

Latest Cyber News

Longhorn Cyber Attack
Firewall Daily

Longhorn Cyber Attack Puts Data of 28000 Patients at Risk

June 7, 2023
Thai Meteorological Department Cyber Attack
Firewall Daily

Thai Meteorological Department Cyber Attack, LockBit Sets Deadline

June 7, 2023
Lockbit Ransomware
Dark Web News

Cross City Tunnel and 23 New Victims: Lockbit Ransomware Gang Goes on a Hacking Spree

June 7, 2023
MOVEit Data Leak
Firewall Daily

Cl0p Ransomware Extends MOVEit Data Leak Deadline to June 14

June 7, 2023

Categories

Web Stories

Top 10 CISOs to Follow in 2023
Top 10 CISOs to Follow in 2023
Top 10 Ransomware Gangs in 2023
Top 10 Ransomware Gangs in 2023
Top 5 IoT Security Risks in 2023
Top 5 IoT Security Risks in 2023
Top 10 CTF Platforms in 2023
Top 10 CTF Platforms in 2023
Types of Risks Covered by Cyber Insurance
Types of Risks Covered by Cyber Insurance

About

The Cyber Express by Cyble

#1 Trending Cyber Security News and Magazine

The Cyber Express  by Cyble is a handbook for all stakeholders of the internet that provides information security professionals with the latest news, updates and knowledge they need to combat cyber threats.

 

Contact

For editorial queries: [email protected]

For marketing and Sales: [email protected]

For Events & Conferences related information: [email protected]

 

Quick Links

  • About Us
  • Advertise With Us
  • Contact Us
  • Editorial Calendar

Our Address

We’re remote friendly, with office locations around the world:

San Francisco, Atlanta, Rome,
Dubai, Mumbai, Bangalore, Hyderabad,  Singapore, Jakarta, Sydney, and Melbourne

 

Headquarters:

The Cyber Express LLC
555 North Point Center E
Alpharetta, GA 30022, USA.

 

India Office:

Cyber Express Media Network
HD-021, 4th Floor, C Wing, Building No.4. Nesco IT Park, WE Highway, Goregaon East, Mumbai, Maharashtra, India – 4000063

Subscribe to Our Feed

RSS Feeds

Follow Us On Google News
  • Privacy Statement
  • Terms of Use
  • Write For Us

© 2022 The Cyber Express (Cyber Security News and Magazine) | By Cyble Inc.

No Result
View All Result
  • Magazine
  • Firewall Daily
  • Essentials
    • Regulations
    • Compliance
    • Governance
    • Policy Updates
  • Features
    • Cyber Warfare
    • Espionage
    • Workforce
      • Learning & Development
  • Business
    • Startups
    • Mergers & Aquisitions
    • Partnerships
    • Appointments
    • Budgets
    • Research
      • Whitepapers
      • Sponsored Content
      • Market Reports
    • Interviews
      • Podcast
  • Events
    • World CyberCon Middle East 2023
    •  Cyber Security Webinar
    • Endorsed Events
  • Products
    • Cyble Vision
    • Cyble Hawk (LEA, Govt.)
    • Am I Breached
    • Cyble Odin (Beta)

© 2022 The Cyber Express (Cyber Security News and Magazine) | By Cyble Inc.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.
Top 10 CISOs to Follow in 2023 Top 10 Ransomware Gangs in 2023 Top 5 IoT Security Risks in 2023 Top 10 CTF Platforms in 2023 Types of Risks Covered by Cyber Insurance