The attackers used a commercial security product, the Palo Alto Cortex XDR Dump Service Tool, to deploy a new proprietary ransomware strain.
The malware, dubbed Rorschach, was discovered by Check Point Research (CPR) and the Check Point Incident Response Team (CPIRT) and was discussed today by an advisory publisher.
CPR’s Jiri Vinopal, Dennis Yarizadeh and Gil Gekker wrote:
“These two facts – the rarity of the ransomware ecosystem – caught CPR’s attention and prompted a thorough analysis of the newly discovered malware.”
This ransomware is self-replicating when executed on a domain controller (DC). It has also been observed clearing event logs on infected devices.
“Furthermore, it is very flexible, operating not only on built-in configuration, but also on numerous optional arguments that can change its behavior according to the needs of the operator,” the CPR team wrote in the advisory.
“Although it appears to take inspiration from some of the most notorious ransomware families, it also includes unique features rarely found in ransomware, such as direct system call usage.”
One similarity to existing ransomware families is the format of the ransom note. It resembles that of Yanluowang ransomware in some cases and DarkSide in others.
Learn more about Yanluowang here: Yanluowang ransomware Russian link exposed
Sergey Shykevich of the Threat Intelligence Group said: Manager of CPR.
According to security experts, Rorschach is one of the fastest and most sophisticated ransomware the company has encountered.
“This speaks to the rapidly changing nature of cyberattacks and the need for businesses to deploy defense-first solutions that can stop Rorschach from encrypting data,” Shykevich concluded. .
The CPR advisory comes a few weeks after CISA published its new Ransomware Vulnerability Warning Pilot (RVWP) program.
