Security researchers have discovered one of the fastest-encrypting ransomware strains, dubbed 'Rorschach', which has also displayed sophisticated evasion capabilities in attacks around the world.
The ransomware was detected in an attack against an undisclosed US-based company’s Windows environment, and quickly identified as a particularly efficient and apparently unaffiliated strain.
Check Point Research published details on Rorschach in a blog post, describing it as “one of the fastest ransomware out there” due to its impressive optimisation and sophisticated cryptography method.
In encryption tests within a controlled environment, Rorschach was able to encrypt 220,000 files in 270 seconds, a full 150 seconds faster than the self-proclaimed “fastest” ransomware LockBit 3.0.
This is achieved with a mix of the curve25519 and hc-128 algorithms, through which it encrypts only sections of files for more efficient encryption.
Researchers speculated that Rorschach is capable of even greater speeds through adjustments to its command line argument, cementing it as the new threat where encryption times are concerned.
Rorschach appears to contain the best code snippets from a range of other ransomware strains.
Both Check Point and Group-IB researchers noted that the code Rorschach uses to kill services is identical to that found in Babuk ransomware, while the classes it uses to rename encrypted machine files appear to have been lifted from LockBit 2.0.
Aside from its cryptographic sophistication, the strain operates in a standard pattern for ransomware. It disables certain services to avoid detection, kills the firewall, and deletes shadow volumes to prevent file recovery.
Ransom notes that researchers found on infected systems have borrowed the structure from those found in attacks by Yanluowang, though the ransom note in a different variant of Rorschach identified by AhnLab was closer structure to the DarkSide group.
The notes demonstrated that the threat actors behind Rorschach have a strong command of English, setting them apart from other groups such as LockBit whose notes comprise broken English sentences.
The group does not use threats of double extortion in its notes, simply urging companies to pay or be attacked again.
Rorschach is tracked by Group-IB as ‘BabLock’, and in January 2023 was tracked in attacks against industrial targets across Europe, Asia, and the Middle East.
Devices in Russian and other languages dominant in post-Soviet territories were left unharmed by the ransomware.
RELATED RESOURCE
The near and far future of ransomware business models
What would make ransomware actors change their criminal business models?
“We believe that the group BabLock is not related to any particular RaaS affiliate programme and that it performs 'quiet' occasional attacks using proprietary ransomware,” stated Group-IB in a blog post.
Unusual features within Rorschach have made it difficult to detect and root out once identified.
It uses the ‘syscall’ instruction to directly call on system APIs to dodge antivirus software. The strain is also partly autonomous, and was found to self-propagate when executed on a Windows Domain Controller through the creation of group policies to spread to all connected workstations, much like LockBit 2.0.
Initial analysis of Rorschach was hindered by the quality of the obfuscation that its developers used to shield its code, another indication of its creators’ skill.
Reverse-engineered samples revealed a hidden list of arguments that can be passed to Rorschach to control its actions, such as whether it self-deletes, which paths to delete, or whether the sample requires a password to operate.
Check Point noted that its list of arguments is not exhaustive, and that other found arguments implied that Rorschach is capable of operating across networks.
The strain’s adaptability is what led Check Point to dub it ‘Rorschach’, with researchers having noted that “each person who examined the ransomware saw something a little bit different”.
Having operated for some months undetected, and without a clear self-identifcation, it is not clear whether Rorschach will expand its operations or seek to adopt double extortion methods.
At present, researchers have urged IT administrators to continue following best practices, and remain vigilant against this aggressive new strain.
-
Anthropic says MCP will stay 'open, neutral, and community-driven' after donating project to Linux FoundationNews The AIFF aims to standardize agentic AI development and create an open ecosystem for developers
-
Developer accidentally spends company’s entire Cursor budget in one sittingNews A developer accidentally spent their company's entire Cursor budget in a matter of hours, and discovered a serious flaw that could allow attackers to max out spend limits.
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
The number of ransomware groups rockets as new, smaller players emergeNews The good news is that the number of victims remains steady
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
