Security researchers have discovered one of the fastest-encrypting ransomware strains, dubbed 'Rorschach', which has also displayed sophisticated evasion capabilities in attacks around the world.
The ransomware was detected in an attack against an undisclosed US-based company’s Windows environment, and quickly identified as a particularly efficient and apparently unaffiliated strain.
Check Point Research published details on Rorschach in a blog post, describing it as “one of the fastest ransomware out there” due to its impressive optimisation and sophisticated cryptography method.
In encryption tests within a controlled environment, Rorschach was able to encrypt 220,000 files in 270 seconds, a full 150 seconds faster than the self-proclaimed “fastest” ransomware LockBit 3.0.
This is achieved with a mix of the curve25519 and hc-128 algorithms, through which it encrypts only sections of files for more efficient encryption.
Researchers speculated that Rorschach is capable of even greater speeds through adjustments to its command line argument, cementing it as the new threat where encryption times are concerned.
Rorschach appears to contain the best code snippets from a range of other ransomware strains.
Both Check Point and Group-IB researchers noted that the code Rorschach uses to kill services is identical to that found in Babuk ransomware, while the classes it uses to rename encrypted machine files appear to have been lifted from LockBit 2.0.
Aside from its cryptographic sophistication, the strain operates in a standard pattern for ransomware. It disables certain services to avoid detection, kills the firewall, and deletes shadow volumes to prevent file recovery.
Ransom notes that researchers found on infected systems have borrowed the structure from those found in attacks by Yanluowang, though the ransom note in a different variant of Rorschach identified by AhnLab was closer structure to the DarkSide group.
The notes demonstrated that the threat actors behind Rorschach have a strong command of English, setting them apart from other groups such as LockBit whose notes comprise broken English sentences.
The group does not use threats of double extortion in its notes, simply urging companies to pay or be attacked again.
Rorschach is tracked by Group-IB as ‘BabLock’, and in January 2023 was tracked in attacks against industrial targets across Europe, Asia, and the Middle East.
Devices in Russian and other languages dominant in post-Soviet territories were left unharmed by the ransomware.
RELATED RESOURCE
The near and far future of ransomware business models
What would make ransomware actors change their criminal business models?
“We believe that the group BabLock is not related to any particular RaaS affiliate programme and that it performs 'quiet' occasional attacks using proprietary ransomware,” stated Group-IB in a blog post.
Unusual features within Rorschach have made it difficult to detect and root out once identified.
It uses the ‘syscall’ instruction to directly call on system APIs to dodge antivirus software. The strain is also partly autonomous, and was found to self-propagate when executed on a Windows Domain Controller through the creation of group policies to spread to all connected workstations, much like LockBit 2.0.
Initial analysis of Rorschach was hindered by the quality of the obfuscation that its developers used to shield its code, another indication of its creators’ skill.
Reverse-engineered samples revealed a hidden list of arguments that can be passed to Rorschach to control its actions, such as whether it self-deletes, which paths to delete, or whether the sample requires a password to operate.
Check Point noted that its list of arguments is not exhaustive, and that other found arguments implied that Rorschach is capable of operating across networks.
The strain’s adaptability is what led Check Point to dub it ‘Rorschach’, with researchers having noted that “each person who examined the ransomware saw something a little bit different”.
Having operated for some months undetected, and without a clear self-identifcation, it is not clear whether Rorschach will expand its operations or seek to adopt double extortion methods.
At present, researchers have urged IT administrators to continue following best practices, and remain vigilant against this aggressive new strain.
-
Using DeepSeek at work is like ‘printing out and handing over your confidential information’News Thinking of using DeepSeek at work? Think again. Cybersecurity experts have warned you're putting your enterprise at huge risk.
-
Can cyber group takedowns last?ITPro Podcast Threat groups can recover from website takeovers or rebrand for new activity – but each successful sting provides researchers with valuable data
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
-
Google cyber researchers were tracking the ShinyHunters group’s Salesforce attacks – then realized they’d also fallen victimNews In an update to an investigation on the ShinyHunters group, Google revealed it had also been affected
-
Nearly one-third of ransomware victims are hit multiple times, even after paying hackersNews Many ransomware victims are being hit more than once, largely thanks to fragmented security tactics
-
75% of UK business leaders are willing to risk criminal penalties to pay ransomsNews A ransom payment ban is a great idea - until you're the one being targeted...
-
The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employeesNews The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crimeNews A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
