Connect with us

Hi, what are you looking for?


Malware & Threats

Self-Propagating, Fast-Encrypting ‘Rorschach’ Ransomware Emerges

The sophisticated, self-propagating Rorschach ransomware is one of the fastest at encrypting victim’s files.

The newly identified ‘Rorschach’ ransomware uses a highly effective file-encrypting routine that makes it one of the fastest ransomware families out there, cybersecurity firm Check Point warns.

Already making at least one victim in the US, Rorschach can spread itself automatically if executed on a domain controller. The malware is highly configurable, and contains unique functions that separate it from other ransomware families out there.

While it seems to have been inspired by infamous ransomware, Rorschach does not appear linked to other malware families and its operator appears to have no affiliation with known ransomware groups.

Rorschach’s execution relies on three files: cy.exe (Cortex XDR Dump Service Tool) is executed to side-load winutils.dll (loader and injector), which in turn loads config.ini (the Rorschach ransomware itself) in memory and injects it into notepad.exe.

The ransomware spawns multiple processes and provides falsified arguments to them, which it uses to stop specific processes, delete shadow volumes and backups, clear Windows event logs, and disable the Windows firewall.

If executed on a domain controller, the malware creates a group policy that allows it to automatically spread to other machines on the domain.

Rorschach includes safeguards to prevent analysis and can evade defense mechanisms by making direct system calls. While other malware families were seen making direct system calls, this is the first time the functionality is seen in ransomware.

Advertisement. Scroll to continue reading.

Check Point’s analysis of Rorschach also uncovered multiple built-in options that are hidden and obfuscated and which allow the operators to control the ransomware remotely.

Rorschach also checks the infected system’s language and terminates itself if it detects a language used in the CIS countries, which includes Russia.

One of the most important features that Rorschach has is ‘a highly effective and fast hybrid-cryptography scheme’ that makes it one of the fastest ransomware families out there.

In a controlled encryption speed test, Rorschach encrypted 220,000 files in four minutes and a half, Check Point says. LockBit, which previously emerged as the fastest ransomware, encrypted the same files in seven minutes.

“It turned out that we have a new speed demon in town. What’s even more noteworthy is that the Rorschach ransomware is highly customizable. By adjusting the number of encryption threads via [a] command line argument, it can achieve even faster times,” Check Point notes.

The cybersecurity firm also identified several similarities with other ransomware families, including Babuk (the borrowed hybrid-cryptography scheme), LockBit (the same list of CIS languages and other methods), and Yanlowang (the ransom note).

“Rorschach appears to have taken some of the ‘best’ features from some of the leading ransomwares leaked online, and integrated them all together. In addition to Rorschach’s self-propagating capabilities, this raises the bar for ransom attacks. The operators and developers of the Rorschach ransomware remain unknown. They do not use branding, which is relatively rare in ransomware operations,” Check Point concludes.

Update: Palo Alto Networks has confirmed Rorschach’s malicious use of the Cortex XDR Dump Service Tool for DLL side-loading:

“When removed from its installation directory, the Cortex XDR Dump Service Tool (cydump.exe), which is included with Cortex XDR agent on Windows, can be used to load untrusted dynamic link libraries (DLLs) with a technique known as DLL side-loading. Rorschach ransomware uses a copy of this tool and this technique to evade detection on systems that do not have sufficient endpoint protection.

When the Cortex XDR agent is installed on Windows and the Cortex XDR Dump Service Tool process is running from the installation path, it is not possible to side-load DLLs with this technique. The security permissions and protections of the installed Cortex XDR agent prevent it.”

Related: CISA Gets Proactive With New Pre-Ransomware Alerts

Related: Ransomware Will Likely Target OT Systems in EU Transport Sector: ENISA

Related: New ‘Trigona’ Ransomware Targets US, Europe, Australia

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.