Cybersecurity researchers have uncovered a previously undocumented ransomware variant. rorschach It’s sleek and fast.
“What makes Rorschach stand out from other ransomware is its high degree of customization and technically unique features never seen before in ransomware,” says Check Point Research in a new report. “In fact, Rorschach is one of the fastest ransomware ever observed in terms of encryption speed.”
The cybersecurity firm said it observed ransomware deployed against an unnamed US-based company, adding that it did not find any brands or duplicates associated with previously known ransomware actors.
However, further analysis of Rorschach’s source code revealed similarities to the September 2021 ransomware Babuk and LockBit 2.0. Additionally, the ransom note sent to the victim appears to have been inspired by that of Yanluowang and DarkSide.
The most important aspect of the intrusion is loading the ransomware payload using a technique called DLL sideloading. This technique is not observed in such attacks. This development marks a new refinement in the approach taken by financially motivated groups to evade detection.
Specifically, the ransomware is said to have been deployed by abusing Palo Alto Network’s Cortex XDR Dump Service Tool (cy.exe) to sideload a library named ‘winutils.dll’. increase.
Another unique feature is its highly customizable nature and the ability to use direct system calls to manipulate files and bypass defense mechanisms.
Rorschach ransomware is also responsible for terminating a defined list of services, deleting shadow volumes and backups, clearing Windows event logs to clear forensic trails, disabling Windows firewalls, and even deleting itself after completing its actions. I’m here.
According to Check Point and South Korean cybersecurity firm AhnLab, it propagates internally by compromising domain controllers and creating group policies. AhnLab incorrectly attributed the infection chain to DarkSide in February of this year.
The ransomware, like other malware seen in the wild, skips machines located in Commonwealth of Independent States (CIS) countries by checking the system language.
Become an Incident Response Pro!
Unlocking the Secrets of Bulletproof Incident Response – Master the 6-step process with Asaf Perlman, IR Lead at Cynet!
Don’t miss it – secure your seat!
Researchers Jiri Vinopal, Dennis Yarizadeh and Gil Gekker explain:
This process is designed to encrypt only certain parts of the original file content, rather than the entire file, and employs additional compiler optimizations to make it a “speed daemon”.
In five separate tests conducted in a Check Point controlled environment, Rorschach encrypted 220,000 files in an average of 4 minutes and 30 seconds. LockBit 3.0, on the other hand, took about 7 minutes.
“Its developers implemented new anti-analysis and defense evasion techniques to evade detection and make it more difficult for security software and researchers to analyze and mitigate its impact,” said the researchers. said.
“In addition, Rorschach seems to have taken some of the ‘best’ features from several major ransomware leaks online and combined them all. Along with Rorschach’s self-propagating capabilities, this raises the bar for ransom attacks. ”
The findings come when Fortinet FortiGuard Labs unveiled details of two new ransomware families called PayMe100USD, a Python-based file-locking malware, and Dark Power, written in the Nim programming language. rice field.
