New Rorschach ransomware almost twice as fast as LockBit

Security researchers have discovered one of the fastest-encrypting ransomware strains, dubbed 'Rorschach', which has also displayed sophisticated evasion capabilities in attacks around the world.

The ransomware was detected in an attack against an undisclosed US-based company’s Windows environment, and quickly identified as a particularly efficient and apparently unaffiliated strain.

Check Point Research published details on Rorschach in a blog post, describing it as “one of the fastest ransomware out there” due to its impressive optimisation and sophisticated cryptography method.

In encryption tests within a controlled environment, Rorschach was able to encrypt 220,000 files in 270 seconds, a full 150 seconds faster than the self-proclaimed “fastest” ransomware LockBit 3.0.

This is achieved with a mix of the curve25519 and hc-128 algorithms, through which it encrypts only sections of files for more efficient encryption.

Researchers speculated that Rorschach is capable of even greater speeds through adjustments to its command line argument, cementing it as the new threat where encryption times are concerned.

Rorschach appears to contain the best code snippets from a range of other ransomware strains.

Both Check Point and Group-IB researchers noted that the code Rorschach uses to kill services is identical to that found in Babuk ransomware, while the classes it uses to rename encrypted machine files appear to have been lifted from LockBit 2.0.

Aside from its cryptographic sophistication, the strain operates in a standard pattern for ransomware. It disables certain services to avoid detection, kills the firewall, and deletes shadow volumes to prevent file recovery.

Ransom notes that researchers found on infected systems have borrowed the structure from those found in attacks by Yanluowang, though the ransom note in a different variant of Rorschach identified by AhnLab was closer structure to the DarkSide group.

The notes demonstrated that the threat actors behind Rorschach have a strong command of English, setting them apart from other groups such as LockBit whose notes comprise broken English sentences.

The group does not use threats of double extortion in its notes, simply urging companies to pay or be attacked again.

Rorschach is tracked by Group-IB as ‘BabLock’, and in January 2023 was tracked in attacks against industrial targets across Europe, Asia, and the Middle East.

Devices in Russian and other languages dominant in post-Soviet territories were left unharmed by the ransomware.

“We believe that the group BabLock is not related to any particular RaaS affiliate programme and that it performs 'quiet' occasional attacks using proprietary ransomware,” stated Group-IB in a blog post.

Unusual features within Rorschach have made it difficult to detect and root out once identified.

It uses the ‘syscall’ instruction to directly call on system APIs to dodge antivirus software. The strain is also partly autonomous, and was found to self-propagate when executed on a Windows Domain Controller through the creation of group policies to spread to all connected workstations, much like LockBit 2.0.

Initial analysis of Rorschach was hindered by the quality of the obfuscation that its developers used to shield its code, another indication of its creators’ skill.

Reverse-engineered samples revealed a hidden list of arguments that can be passed to Rorschach to control its actions, such as whether it self-deletes, which paths to delete, or whether the sample requires a password to operate.

Check Point noted that its list of arguments is not exhaustive, and that other found arguments implied that Rorschach is capable of operating across networks.

The strain’s adaptability is what led Check Point to dub it ‘Rorschach’, with researchers having noted that “each person who examined the ransomware saw something a little bit different”.

Having operated for some months undetected, and without a clear self-identifcation, it is not clear whether Rorschach will expand its operations or seek to adopt double extortion methods.

At present, researchers have urged IT administrators to continue following best practices, and remain vigilant against this aggressive new strain.