Rorschach ransomware is a new strain of ransomware that was discovered during a recent ransomware case against a US-based company. The unique features of this ransomware have caused concern among cybersecurity experts.
One of the most significant aspects of this attack is the use of DLL side-loading to load the ransomware payload. The use of this technique marks a new level of sophistication in the approaches used by financially motivated groups to avoid detection. The ransomware was deployed by abusing Palo Alto Network's Cortex XDR Dump Service Tool to sideload a library named "winutils.dll."
Behavioral analysis of the ransomware revealed that it is partly autonomous, meaning that it spreads automatically when executed on a Domain Controller while clearing event logs of affected machines. It is also highly flexible, able to operate based on built-in configurations and optional arguments, allowing it to change behavior according to the operator's needs. The ransomware appears to have taken inspiration from some of the most infamous ransomware families, such as Yanluowang and DarkSide, but also includes unique functionalities like the use of direct syscalls.
The use of a signed component of a commercial security product and the partially autonomous and highly flexible nature of the ransomware make it a serious threat to organizations of all sizes.
The ransomware employs a highly effective and fast hybrid-cryptography scheme that blends the curve25519 and eSTREAM cipher hc-128 algorithms for encryption purposes. This process encrypts only a specific portion of the original file content instead of the entire file and employs additional compiler optimization methods, making it a "speed demon." In tests carried out in a controlled environment, 220,000 files were encrypted using Rorschach within an average of four minutes and 30 seconds, making it significantly faster than LockBit 3.0, which took approximately seven minutes.
The ransomware's developers implemented new anti-analysis and defense evasion techniques to avoid detection and make it more difficult for security software and researchers to analyze and mitigate its effects. Additionally, the ransomware appears to have taken some of the "best" features from leading ransomware strains and integrated them all together. These features, combined with Rorschach's self-propagating capabilities, raise the bar for ransom attacks.
This discovery comes as Fortinet FortiGuard Labs detailed two emerging ransomware families called PayMe100USD, a Python-based file-locking malware, and Dark Power, which is written in the Nim programming language. The emergence of these new strains highlights the importance of remaining vigilant and taking proactive steps to protect against ransomware attacks.
Rorschach ransomware represents a significant evolution in the ransomware landscape and highlights the need for continued vigilance and innovation in the fight against cyber threats. Organizations must remain vigilant and take proactive steps to protect their systems and data from this and other emerging threats.