Check Point Research cybersecurity researchers have discovered a new type of ransomware deployed on the networks of an American company. They nicknamed him Rorschach. According to them, in addition to being very sophisticated, this malware is extremely fast.
By analyzing the Rorschach code, experts found out that it isone of the fastest ransomware ever observed, by its encryption speed. If its deployment is automated. Its designers take advantage of the side-loading functionality of Cortex XDR, a professional security application, to download a dynamic link library (DLL) onto a computer connected to the target company’s network. Once in place, it decompresses the malicious code. This then runs through a script in Windows Notepad and replicates to other systems connected to the network from the Domain Controller. From there, all files and disks are encrypted. The trap is in place.
Rorschach differs from other ransomware in several aspects. Firstly, the ransomware is not signed, a practice that is widespread among cyberblackmailers. Furthermore, “it is partially self-contained, performing tasks that are typically performed manually during enterprise-wide ransomware deployment, such as creating a domain group policy “.
Rorschach takes the prize for the most formidable ransomware ahead of LockBit
Rorschach covers his tracks by deleting Windows-related event logs. It also erases automatic or manual backups of files or disks (Shadow Copy), in order to prevent any recovery of the latter, and it also deactivates the computer’s firewall.
Above all, Rorschach impressed researchers by its speed of execution. While Lockbit is considered the most formidable ransomware of the moment, the measurements made by analysts leave no room for doubt: when Lockbit takes 7 minutes to encrypt 220,000 files on a PC’s local SSD storage, it only takes 4.5 minutes for Rorschach to accomplish the same task. The analysts add that it would be enough to regulate the malware a little more finely so that it is even faster.
Source: Check Point Research