New Rorschach ransomware is the fastest encryptor seen so far

Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,566
Content source
https://www.bleepingcomputer.com/news/security/new-rorschach-ransomware-is-the-fastest-encryptor-seen-so-far/
Following a cyberattack on a U.S.-based company, malware researchers discovered what appears to be a new ransomware strain with "technically unique features," which they named Rorschach.

Among the capabilities observed is the encryption speed, which, according to tests from the researchers, would make Rorschach the fastest ransomware threat today.

The analysts found that the hackers deployed the malware on the victim network after leveraging a weakness in a threat detection and incident response tool.

Researchers at cybersecurity company Check Point, responding to an incident at a company in the U.S., found that Rorschach was deployed using the DLL side-loading technique via a signed component in Cortex XDR, the extended detection and response product from Palo Alto Networks.

The attacker used the Cortex XDR Dump Service Tool (cy.exe) version 7.3.0.16740 to sideload the Rorschach loader and injector (winutils.dll), which lead to launching the ransomware payload, “config.ini,” into a a Notepad process.

The loader file features UPX-style anti-analysis protection, while the main payload is protected against reverse engineering and detection by virtualizing parts of the code using the VMProtect software.

Check Point reports that Rorschach creates a Group Policy when executed on a Windows Domain Controller to propagate to other hosts on the domain. After compromising a machine, the malware erases all event logs.
Click to expand...
www.bleepingcomputer.com

New Rorschach ransomware is the fastest encryptor seen so far

Following a cyberattack on a U.S.-based company, malware researchers discovered what appears to be a new ransomware strain with "technically unique features," which they named Rorschach.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • +Reputation
  • Thanks
Reactions: Trident, fabiobr, upnorth and 8 others
vtqhtr413

vtqhtr413

Level 26
Verified
Top Poster
Well-known
Aug 17, 2017
1,484
Cybersecurity researchers have taken the wraps off a previously undocumented ransomware strain called Rorschach that's both sophisticated and fast. "What makes Rorschach stand out from other ransomware strains is its high level of customization and its technically unique features that have not been seen before in ransomware," Check Point Research said in a new report. "In fact, Rorschach is one of the fastest ransomware strains ever observed, in terms of the speed of its encryption." The cybersecurity firm said it observed the ransomware deployed against an unnamed U.S.-based company, adding it found no branding or overlaps that connect it to any previously known ransomware actors. However, further analysis of Rorschach's source code reveals similarities to Babuk ransomware, which suffered a leak in September 2021 and LockBit 2.0. On top of that, the ransom notes sent out to the victims appear to be inspired by that of Yanluowang and DarkSide.
Click to expand...
thehackernews.com

Rorschach Ransomware Emerges: Experts Warn of Advanced Evasion Strategies

Cybersecurity researchers uncover a new, sophisticated ransomware strain called Rorschach.
thehackernews.com thehackernews.com
 
  • Like
  • Thanks
Reactions: Trident, upnorth, Nevi and 5 others
[correlate]

[correlate]

Level 18
Top Poster
Well-known
May 4, 2019
801
RORSCHACH – A NEW SOPHISTICATED AND FAST RANSOMWARE
Check Point Research (CPR) and Check Point Incident Response Team (CPIRT) encountered a previously unnamed ransomware strain, we dubbed Rorschach, deployed against a US-based company.
Rorschach ransomware appears to be unique, sharing no overlaps that could easily attribute it to any known ransomware strain. In addition, it does not bear any kind of branding which is a common practice among ransomware groups.
The ransomware is partly autonomous, carrying out tasks that are usually manually performed during enterprise-wide ransomware deployment, such as creating a domain group policy (GPO). In the past, similar functionality was linked to LockBit 2.0.
The ransomware is highly customizable and contains technically unique features, such as the use of direct syscalls, rarely observed in ransomware. Moreover, due to different implementation methods, Rorschach is one of the fastest ransomware observed, by the speed of encryption.
The ransomware was deployed using DLL side-loading of a Cortex XDR Dump Service Tool, a signed commercial security product, a loading method which is not commonly used to load ransomware. The vulnerability was properly reported to Palo Alto Networks
Click to expand...
research.checkpoint.com

Rorschach – A New Sophisticated and Fast Ransomware - Check Point Research

Research by: Jiri Vinopal, Dennis Yarizadeh and Gil Gekker Key Findings: Introduction While responding to a ransomware case against a US-based company, the CPIRT recently came across a unique ransomware strain deployed using a signed component of a commercial security product. Unlike other...
research.checkpoint.com research.checkpoint.com
 
  • Like
Reactions: Trident, upnorth, Nevi and 2 others
You must log in or register to reply here.

Similar threads

LASER_oneXM
    • Like
    • +Reputation
    • Wow
New Cactus ransomware encrypts itself to evade antivirus
Replies
0
Views
1,025
News Archive
LASER_oneXM
LASER_oneXM
Gandalf_The_Grey
    • +Reputation
    • Like
Cybersecurity firm Sophos impersonated by new SophosEncrypt ransomware
Replies
1
Views
1,451
News Archive
Kongo
Kongo
MuzzMelbourne
    • Like
    • +Reputation
Terminator antivirus killer is a vulnerable Windows driver in disguise
Replies
0
Views
1,324
News Archive
MuzzMelbourne
MuzzMelbourne

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top