A new strain of ransomware believed to be the fastest-executing encryption malware has been discovered.
Researchers at Check Point Software said today the strain, dubbed Rorschach, hit an unnamed U.S. company using a signed component of Palo Alto Networks’ Cortex XDR Dump Service Tool, version 7.3.0.16740.
The Rorschach ransomware employs a highly effective and fast hybrid-cryptography scheme, which blends the curve25519 and eSTREAM cipher hc-128 algorithms for encryption purposes, says the report. “This process only encrypts a specific portion of the original file content instead of the entire file.”
In a test on a server with six CPUs, 8192MB RAM and 220,000 files on a solid-state hard drive, it took Rorschach four minutes and 30 seconds to encrypt the data. By comparison, it took a sample of LockBit 3.0 seven minutes.
The researchers suspect this hybrid-cryptography routine was borrowed from the leaked source code of Babuk ransomware. The creators of Rorschach also appear to have been inspired by LockBit 2.0’s use of I/O Completion Ports for thread scheduling, the report says.
“Rorschach took the best from the ransomware families with the highest reputation and then added some unique features of its own,” the researchers conclude.
When initially executed on a Windows Domain Controller (DC), the ransomware automatically creates a Group Policy, spreading itself to other machines within the domain.
Similar functionality has been reported to be included in LockBit 2.0, the report says, although Rorschach’s deployment is carried out differently. Rorschach copies its files into the scripts folder of the domain controller, and deletes them from the original location. It then creates a group policy that copies itself into the Windows %Public%
folder of all workstations in the domain. The ransomware creates another group policy in an attempt to kill a list of predefined list of processes. This is done by creating a scheduled task invoking taskkill.exe
. Finally, Rorschach creates a third group policy that registers a scheduled task which runs immediately and upon a user logging in, which runs Rorschach’s main executable with the relevant arguments.
Rorschach has a number of protections. The initial loader/injector, winutils.dll
, is protected with UPX-style packing. However, says the report, this is changed in such a way that it isn’t readily unpacked using standard solutions, and requires manual unpacking. After unpacking, the sample loads and decrypts config.ini
, which contains the ransomware logic.
After Rorschach is injected into notepad.exe
, it’s still protected by VMProtect. This results in a crucial portion of the code being virtualized in addition to lacking an IAT table. Only after defeating both of these safeguards is it possible for researchers to properly analyze the ransomware logic.
Another way it evades detection is by making direct system calls using the “syscall” instruction. “While previously observed in other strains of malware, it’s quite startling to see this in ransomware,” says the report.
Before encrypting the target system, the sample runs two system checks to confirm the language of the infected computer. If the return value is commonly used in countries in the Russian-aligned Commonwealth of Independent States (CIS), including Russian and Ukrainian, it won’t execute.
“Our findings underscore the importance of maintaining strong cybersecurity measures to prevent ransomware attacks, as well as the need for continuous monitoring and analysis of new ransomware samples to stay ahead of evolving threats,” says the report. “As these attacks continue to grow in frequency and sophistication, it is essential for organizations to remain vigilant and proactive in their efforts to safeguard against these threats.”