Self-Propagating, Fast-Encrypting ‘Rorschach’ Ransomware Emerges

The newly identified ‘Rorschach’ ransomware uses a highly effective file-encrypting routine that makes it one of the fastest ransomware families out there, cybersecurity firm Check Point warns.

Already making at least one victim in the US, Rorschach can spread itself automatically if executed on a domain controller. The malware is highly configurable, and contains unique functions that separate it from other ransomware families out there.

While it seems to have been inspired by infamous ransomware, Rorschach does not appear linked to other malware families and its operator appears to have no affiliation with known ransomware groups.

Rorschach’s execution relies on three files: cy.exe (Cortex XDR Dump Service Tool) is executed to side-load winutils.dll (loader and injector), which in turn loads config.ini (the Rorschach ransomware itself) in memory and injects it into notepad.exe.

The ransomware spawns multiple processes and provides falsified arguments to them, which it uses to stop specific processes, delete shadow volumes and backups, clear Windows event logs, and disable the Windows firewall.

If executed on a domain controller, the malware creates a group policy that allows it to automatically spread to other machines on the domain.

Rorschach includes safeguards to prevent analysis and can evade defense mechanisms by making direct system calls. While other malware families were seen making direct system calls, this is the first time the functionality is seen in ransomware.

Check Point’s analysis of Rorschach also uncovered multiple built-in options that are hidden and obfuscated and which allow the operators to control the ransomware remotely.

Rorschach also checks the infected system’s language and terminates itself if it detects a language used in the CIS countries, which includes Russia.

One of the most important features that Rorschach has is ‘a highly effective and fast hybrid-cryptography scheme’ that makes it one of the fastest ransomware families out there.

In a controlled encryption speed test, Rorschach encrypted 220,000 files in four minutes and a half, Check Point says. LockBit, which previously emerged as the fastest ransomware, encrypted the same files in seven minutes.

“It turned out that we have a new speed demon in town. What’s even more noteworthy is that the Rorschach ransomware is highly customizable. By adjusting the number of encryption threads via [a] command line argument, it can achieve even faster times,” Check Point notes.

The cybersecurity firm also identified several similarities with other ransomware families, including Babuk (the borrowed hybrid-cryptography scheme), LockBit (the same list of CIS languages and other methods), and Yanlowang (the ransom note).

“Rorschach appears to have taken some of the ‘best’ features from some of the leading ransomwares leaked online, and integrated them all together. In addition to Rorschach’s self-propagating capabilities, this raises the bar for ransom attacks. The operators and developers of the Rorschach ransomware remain unknown. They do not use branding, which is relatively rare in ransomware operations,” Check Point concludes.

Update: Palo Alto Networks has confirmed Rorschach’s malicious use of the Cortex XDR Dump Service Tool for DLL side-loading:

“When removed from its installation directory, the Cortex XDR Dump Service Tool (cydump.exe), which is included with Cortex XDR agent on Windows, can be used to load untrusted dynamic link libraries (DLLs) with a technique known as DLL side-loading. Rorschach ransomware uses a copy of this tool and this technique to evade detection on systems that do not have sufficient endpoint protection.

When the Cortex XDR agent is installed on Windows and the Cortex XDR Dump Service Tool process is running from the installation path, it is not possible to side-load DLLs with this technique. The security permissions and protections of the installed Cortex XDR agent prevent it.”

Related: CISA Gets Proactive With New Pre-Ransomware Alerts

Related: Ransomware Will Likely Target OT Systems in EU Transport Sector: ENISA

Related: New ‘Trigona’ Ransomware Targets US, Europe, Australia