Security researchers discovered a new, highly sophisticated ransomware.
Check Point Research (CPR) and Check Point Incident Response Team (CPIRT) identified a previously unknown ransomware strain, dubbed Rorschach, that was deployed against a US-based company. Rorschach does not bear any similarities to other known ransomware families, and also lacks any branding typically seen in ransomware attacks.
It is also noteworthy that the ransomware is partially autonomous, carrying out tasks that are usually done manually, such as creating a domain group policy (GPO). This functionality has previously been linked to LockBit 2.0.
Rorschach Ransomware: What Is Known So Far?
Rorschach is highly customizable and contains technologically extraordinary features, like the use of direct syscalls, which is rarely seen in ransomware. Moreover, due to its implementation methods, the ransomware is one of the quickest observed in terms of encryption speed.
Distribution
The ransomware was deployed through DLL side-loading of a Cortex XDR Dump Service Tool, a signed commercial security product, which is a unique loading method for ransomware. Palo Alto Networks was alerted about the vulnerability.
Execution
An analysis of the ransomware revealed some unique features. It has a partly autonomous nature, spreading itself when executed on a Domain Controller (DC) and erasing event logs of affected machines.
Rorschach ransomware is also highly flexible, running on a built-in configuration and a variety of optional arguments to adjust its behavior to the user’s needs. Furthermore, the malware is a combination of some of the most notorious ransomware families, including Yanluowang and DarkSide, with some distinct functionalities, e.g. the use of direct syscalls.
The ransom note sent out to the victim was styled similarly to Yanluowang ransomware notes, but some mistakenly identified it as DarkSide. This confusion is what led to the ransomware being named after the famous psychological test – Rorschach.
Self-Propagation
Rorschach creates processes in an unconventional manner, initiating them in SUSPEND mode and providing incorrect arguments to strengthen analysis and remediation activities. This false argument, made up of a sequence of the number 1 corresponding to the length of the actual argument, is re-written in memory and substituted with the real one, producing a distinct operation, as per Check Point Research’s report.
The ransomware has the capability to spread itself to other machines within a Windows Domain Controller when executed. This GPO deployment is done differently than the one seen in LockBit 2.0, and is described in more detail below.
Anti-Analysis Protection and Evasion
Rorschach exhibits sophisticated security evasion tactics that make it difficult to analyze. The initial loader/injector winutils.dll is safeguarded by a UPX-style packing that needs manual unpacking to access. Upon unpacking, config.ini is loaded and decrypted, which holds the ransomware logic. After being injected into notepad.exe, the code is further safeguarded by VMProtect and virtualization, which complicates analysis. To evade defense mechanisms, Rorschach uses the “syscall” instruction to make direct system calls, which is uncommon in ransomware.
Rorschach Ransomware: Conclusion
To stay hidden from security software and researchers, the creators of Rorschach implemented innovative anti-analysis and defense evasion techniques. Furthermore, the ransomware has adopted some of the most effective features from other popular ransomwares that have been released online and combined them. Not only can Rorschach self-replicate, but these developments have increased the potency of ransomware attacks. So far, the identities of the operators and developers of Rorschach remain unknown, as they have not employed branding, which is considered rare in ransomware campaigns, Check Point researchers noted.