Malware experts identified Rorschach as a new ransomware outbreak with “technically unique features” after a cyberattack on a U.S.-based business.
According to the cybersecurity website, researchers noticed one of the skills is encryption speed. This would make Rorschach the fastest ransomware threat currently.
The researchers reported that the hackers used a flaw in a threat monitoring and incident response application to spread the malware on the victim’s network.
Rorschach information
The security service website discovered Rorschach was distributed using the DLL side-loading method via a signed component in Cortex XDR. It’s a detection and response tool from Palo Alto Networks, developed following an attack on a U.S. business.
The perpetrator sideloaded the Rorschach loader and injector (winutils.dll) using the Cortex XDR Dump Service Tool (cy.exe) version 7.3.0.16740. Moreover, it then resulted in the ransomware payload, “config.ini,” being launched into a Notepad session.
The primary payload is protected against reverse engineering and detection by virtualizing some of the code using the VMProtect software. However, the loader file has anti-analysis security in the UPX manner.
Rorschach produces a Group Policy that is spread throughout the network when it is run on a Windows network controller.
Moreover, to leave no evidence after infiltrating a computer, the malware then deletes four event files. It includes application, security, system, and Windows Powershell. Although Rorschach has hardcoded settings, it accepts command-line arguments to increase utility.
Check Point claims the choices are concealed and are inaccessible without breaking the virus.
The Rorschach coding technique
Rorschach encrypts data only if the target computer is set up in a language except for the Commonwealth of Independent States.
Moreover, to improve processing performance, the encryption strategy uses a combination of the curve25519 and eSTREAM cypher hc-128 algorithms and adheres to the intermittent encryption pattern.
According to the experts, Rorschach’s encryption method indicates a highly effective implementation of thread scheduling via I/O completion ports.
The online security website experts tested Rorschach’s encryption on a 6-core CPU system with 220,000 files.
The LockBit v3.0, was the quickest ransomware variant. It completed the encryption of the data in 7 minutes, while Rorschach took 4.5 minutes.
Moreover, the malware locks the machine and then dumps a ransom letter that resembles the Yanlowang ransomware in structure.
Experts claim that an earlier version of the malware used a ransom letter similar to the one used by DarkSide.
According to Check Point, this resemblance is probably what led some scholars to confuse one Rorschach variant with DarkSide. A scheme that changed its name to BlackMatter in 2021 and vanished the following year.
The ALPHV/BlackCat ransomware attack was created by BlackMatter users and went live in November 2021.
Furthermore, Rorschach has adopted the best features from some of the most popular malware variants that have been exposed online. These malware variants include Babuk, LockBit v2.0, and DarkSide.
In addition to its ability to spread itself, the malware raises the bar for ransom attacks. The Rorschach ransomware’s administrators are currently unclear, and there is no branding, which is unusual in the ransomware world.
