Executive Summary
Rorschach is a newly discovered ransomware family with the fastest encryption to date. While the developers seemed to borrow TTPs from other ransomware strains, Rorschach is unique and points to a sophisticated threat actor.
Key Takeaways
- Rorschach is a newly discovered ransomware family.
- One of Rorschach’s most notable features is that it has one of the fastest encryption algorithms seen thus far.
- Rorschach uses multiple techniques to evade detection.
What is Rorschach Ransomware?
Check Point recently reported on Rorschach, a newly discovered ransomware family with the fastest encryption to date. The ransomware was used to target an unnamed company in the US.
Rorschach, also known as BabLock, is customizable and can operate using a built-in configuration or using numerous optional arguments. This allows threat actors to tailor the ransomware to a particular target environment. The ransomware’s programming points to unique features, including direct syscalls. One of Rorschach’s most notable features is that it has one of the fastest encryption algorithms observed thus far.
Rorschach is deployed via DLL sideloading of a Cortex XDR Dump Service Tool, which is a signed commercial security product. It uses three files in its execution flow: cy.exe, which is used to sideload winutils.dll; winutils.dll, which is used to decrypt and inject the ransomware; and config.ini, which is the main payload. Config.ini is loaded into memory, then decrypted and injected into notepad.exe.
To evade detection, Rorschach runs processes in SUSPEND mode and gives falsified arguments consisting of a repeating string of the digit 1. The falsified argument is rewritten into memory and replaced with the real argument, resulting in unique execution. Rorschach uses this to attempt to stop a predefined list of services, delete shadow volumes and backups, clear Windows event logs, and disable the Windows firewall.
Rorschach has autonomous capabilities, carrying out tasks typically performed manually in an enterprise-wide ransomware deployment. For example, Rorschach is capable of self-propagation via creating a domain group policy.
Rorschach’s encryption scheme uses the curve25519 and eSTREAM cipher hc-128 algorithms, encrypting only a portion of a file instead of the entire file. This results in an encryption process that is both fast and effective. While some variants of LockBit 3.0 were capable of encryption in 7 minutes, Rorschach is capable of encryption in just 4.5 minutes. Check Point researchers noted even faster encryption times are possible if the number of encryption threads is adjusted via the command line argument --thread. Rorschach’s speed is also due, in part, to how it is compiled. It is compiled using compiler optimization that favors speed and code inlining.
Rorschach’s ransomware notes are reminiscent of the ones used by Yanluowang and DarkSide ransomware families. Its encryption scheme seems to be inspired by that of Babuk, and its language list used to halt execution is the same as the one used in LockBit 2.0. However, Check Point researchers state Rorschach is unique, with no known overlap with other ransomware strains. It also does not give any indication of being associated with a particular ransomware group.
IOCs
PolySwarm has a sample of Rorschach.
4874d336c5c7c2f558cfd5954655cacfc85bcfcb512a45fb0ff461ce9c38b86d
You can use the following CLI command to search for all Rorschach samples in our portal:
$ polyswarm link list -f Rorschach
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
