Researchers state that Rorschach ransomware has been labelled as the fastest-ever ransomware due to its unparalleled evasion techniques, which have never been seen before.
Check Point Research has shared details of previously undocumented ransomware, dubbed Rorschach, which they regard as the fastest-ever ransomware discovered so far. Researchers noticed that an unnamed US-based organization is one of the victims of Rorschach.
It’s not surprising that new strains of ransomware are emerging, given the increasing number of ransomware attacks and the constant development of new evasion techniques by cybercriminals. Recently, researchers discovered a new ransomware strain called Cylance that targets both Linux and Windows devices.
Highly Effective, Evasive, and Fast-Encrypting Ransomware
An exclusive feature of Rorschach ransomware is its effective, fast hybrid-cryptography scheme, which makes it the fastest ransomware out there, even faster than LockBit.
Calling it a Speed Demon, Check Point researchers wrote that in a controlled encryption speed assessment, the ransomware encrypted 220,000 files in four and a half minutes. In contrast, LockBit encrypted the same number of files in seven minutes.
Rorschach ransomware boasts advanced encryption technology and can spread automatically on the machine if executed on a domain controller.
Moreover, this is a highly configurable malware equipped with novel functionalities that make it stand out among other ransomware strains. It features a “high level of customization” and has “technically unique features that have not been seen before in ransomware,” Check Point’s researchers Jiri Vinopal, Dennis Yarizadeh, and Gil Gekker explained in their report.
“In fact, Rorschach is one of the fastest ransomware strains ever observed, in terms of the speed of its encryption.”
Furthermore, the ransomware is equipped with safeguards to bypass analysis and defence mechanisms, which it achieves via direct system calls. This is the first ransomware that can make direct system calls. Until now, only malware families had this feature.
Is Rorschach Linked with another Ransomware?
Although it seems inspired by several other ransomware, Rorschach is neither linked to any other malware family nor affiliated with another ransomware group. However, researchers did observe similarities between Rorschach and Babuk ransomware source codes.
It is worth noting that Babuk’s source code was leaked in September 2021. The ransom notes used in Rorschach-based campaigns are inspired by DarkSide and Yanluowang.
How is Rorschach Executed?
The ransomware execution mainly relies on three files. First, Cortex XDR Dump Service Tool (cy.exe) is executed, which side-loads with loader and injector file (winutils.dll). This DLL file then loads the ransomware (config.ini) in the memory. It also gets injected into notepad.exe.
Rorschach uses multiple processes and uses falsified arguments to stop some processes, clear Windows event logs, delete shadow backups and volumes, and disable Windows firewalls.
When the ransomware is executed on a domain controller, it generates a group policy that lets it automatically infect other devices on that domain. It checks for the infected device language and terminates if a language from the CIS countries, e.g., Russia, is detected.