Rorschach Ransomware: New strain of attacks with the fastest encryption speed

Rorschach Ransomware is a type of malicious software (malware) that encrypts files on a victim’s computer or network, making them inaccessible and then demands a ransom payment in exchange for the decryption key. Rorschach ransomware was first discovered in February 2021 and was named after the character from the comic book Watchmen, as the ransom note contained an image of the character’s mask.
It is highly configurable and makes use of a rarely seen ransomware feature called direct syscalls. The malware is dispersed through the DLL side-loading vulnerability of the Cortex XDR Dump Service program. It is believed that Rorschach was created using the Babuk ransomware’s stolen source code and and is partially influenced by LockBit 2.0. After encrypting the victim’s files, the ransomware sends them a ransom message that resembles the Yanluowang ransom note.

One of the abilities noticed is the encryption speed, which would make Rorschach the fastest ransomware threat currently, according to testing from the researchers. A test with 220,000 files on a 6-core CPU system was set up by an organization to determine how quickly Rorschach’s encryption works. Rorschach took 4.5 minutes to encrypt the data, while LockBit v3.0, widely regarded as the fastest ransomware strain, completed the task in 7 minutes.

Rorschach ransomware launches a campaign to stop a predefined list of services from machines as soon as it is executed. To make the recovery process more difficult, it deletes backups and shadow volumes using authorized Windows tools. The ransomware automatically establishes a Group Policy when it is run on a Windows Domain Controller in order to spread to other machines in the domain. Rorschach successfully encrypts the data using a combination of the curve25519 and eSTREAM encryption hc-128 algorithms.

Rorschach additionally appends a two-digit number (range from 00 to 98) and a random string of characters to the end of filenames in addition to encrypting data (“1.jpg” becomes “1.jpg.slpqne.37,”). Additionally, the desktop wallpaper is modified and a ransom note (“_r_e_a_d_m_e.txt”) is dropped. Rorschach attacks have been highlighted as a threat to industrial corporations and small and medium-sized businesses and have been observed to target nations like Asia, Europe, and the Middle East

References:

  1. https://www.bleepingcomputer.com/news/security/new-rorschach-ransomware-is-the-fastest-encryptor-seen-so-far/
  2. https://www.pcrisk.com/removal-guides/26437-rorschach-ransomware
SISA’s Latest
close slider