Home > Cyber News > Rorschach: New Sophisticated Ransomware Emerges
CYBER NEWS

Rorschach: New Sophisticated Ransomware Emerges

by   |  Last Update:  |  0 Comments  

Security researchers discovered a new, highly sophisticated ransomware.

Check Point Research (CPR) and Check Point Incident Response Team (CPIRT) identified a previously unknown ransomware strain, dubbed Rorschach, that was deployed against a US-based company. Rorschach does not bear any similarities to other known ransomware families, and also lacks any branding typically seen in ransomware attacks.

It is also noteworthy that the ransomware is partially autonomous, carrying out tasks that are usually done manually, such as creating a domain group policy (GPO). This functionality has previously been linked to LockBit 2.0.

Rorschach New Sophisticated Ransomware Emerges

Rorschach Ransomware: What Is Known So Far?

Rorschach is highly customizable and contains technologically extraordinary features, like the use of direct syscalls, which is rarely seen in ransomware. Moreover, due to its implementation methods, the ransomware is one of the quickest observed in terms of encryption speed.

Distribution

The ransomware was deployed through DLL side-loading of a Cortex XDR Dump Service Tool, a signed commercial security product, which is a unique loading method for ransomware. Palo Alto Networks was alerted about the vulnerability.




Execution

An analysis of the ransomware revealed some unique features. It has a partly autonomous nature, spreading itself when executed on a Domain Controller (DC) and erasing event logs of affected machines.

Rorschach ransomware is also highly flexible, running on a built-in configuration and a variety of optional arguments to adjust its behavior to the user’s needs. Furthermore, the malware is a combination of some of the most notorious ransomware families, including Yanluowang and DarkSide, with some distinct functionalities, e.g. the use of direct syscalls.

The ransom note sent out to the victim was styled similarly to Yanluowang ransomware notes, but some mistakenly identified it as DarkSide. This confusion is what led to the ransomware being named after the famous psychological test – Rorschach.

Self-Propagation

Rorschach creates processes in an unconventional manner, initiating them in SUSPEND mode and providing incorrect arguments to strengthen analysis and remediation activities. This false argument, made up of a sequence of the number 1 corresponding to the length of the actual argument, is re-written in memory and substituted with the real one, producing a distinct operation, as per Check Point Research’s report.

The ransomware has the capability to spread itself to other machines within a Windows Domain Controller when executed. This GPO deployment is done differently than the one seen in LockBit 2.0, and is described in more detail below.

Anti-Analysis Protection and Evasion

Rorschach exhibits sophisticated security evasion tactics that make it difficult to analyze. The initial loader/injector winutils.dll is safeguarded by a UPX-style packing that needs manual unpacking to access. Upon unpacking, config.ini is loaded and decrypted, which holds the ransomware logic. After being injected into notepad.exe, the code is further safeguarded by VMProtect and virtualization, which complicates analysis. To evade defense mechanisms, Rorschach uses the “syscall” instruction to make direct system calls, which is uncommon in ransomware.




Rorschach Ransomware: Conclusion

To stay hidden from security software and researchers, the creators of Rorschach implemented innovative anti-analysis and defense evasion techniques. Furthermore, the ransomware has adopted some of the most effective features from other popular ransomwares that have been released online and combined them. Not only can Rorschach self-replicate, but these developments have increased the potency of ransomware attacks. So far, the identities of the operators and developers of Rorschach remain unknown, as they have not employed branding, which is considered rare in ransomware campaigns, Check Point researchers noted.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Related posts:
  1. LockBit 3.0 Virus Guide: Removal, Decryption, and Safety Tips In today’s interconnected society, the specter of cybersecurity threats looms...
  2. .abcd Virus File (LockBit Ransomware) – Remove It (Update March 2020) This article has been created in order to best explain...
  3. Remove LockBit 2.0 Ransomware LockBit 2.0 Ransomware LockBit 2.0 Ransomware is a computer virus...
  4. Operation Cronos: the End of LockBit Ransomware? Law enforcement agencies from 11 countries have joined forces to...
  5. LockBit Ransomware Adds DDoS, Triple Extortion to Its Operation The LockBit ransomware group is now working towards improving its...
  6. locker_Apple_M1_64 Ransomware Removal (LockBit Mac Virus) What Is locker_Apple_M1_64 (LockBit Mac File Virus)? Security researchers detected...
  7. .lockbit Virus (.lockbit Ransomware) Removal and Recovery The .lockbit virus is a ransomware that is currently set...
  8. LockBit Ransomware Hits Global Tech Consultancy Firm Accenture Accenture is the latest victim of the LockBit ransomware gang....

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree