Rorschach Ransomware: New, Fast and Sophisticated

Ransomware surprises security officials with its innovative and compiled tactic’s

Information about a serious and complex undocumented ransomware strategy called Rorschach has been disclosed to the public. This ransomware appears to be unique due to its speed of encryption. Rorschach had been deployed against a US-based company that has not disclosed its name.

“Unlike other ransomware cases, the threat actor did not hide behind any alias and appears to have no affiliation to any of the known ransomware groups. Those two facts, rarities in the ransomware ecosystem, piqued CPR interest and prompted us to analyze the newly discovered malware thoroughly.”

Another interesting thing about Rorschach is that it only encrypts part of the file. Which increases its speed of encryption.

Hows it works?

Rorschach will find an exploit to get in and once it does, it can be nearly impossible to remove and recover.  The ransomware is also partly autonomous, carrying out tasks that are usually manually performed during enterprise-wide ransomware deployment, such as creating a domain group policy (GPO).  What this means is that instead of a single instance of a hacking probe. Rorschach can explore multiple probing attacks one after the other without the hacker ever having to do anything.

It has been identified with unique features such as partly autonomous spreading and clearing event logs on Domain Controllers. It is flexible, with built-in and optional configurations that can change its behaviour. It has similarities with other ransomware families but also contains uncommon functionalities like using direct syscalls.

Why should you care?

This Ransomware is new, and it surprises security officials because it is something they have not seen before. It is highly customizable, innovative, and processes at very fast speeds.

“Additionally, Rorschach appears to have taken some of the ‘best’ features from some of the leading ransomware leaked online, and integrated them all together. In addition to Rorschach’s self-propagating capabilities, this raises the bar for ransom attacks.” says Check Point Research

These new sophisticated attacks highlight the importance of strong cyber security measures to prevent ransomware, as well as continuing vigilance and analysis of new ransomware samples to stay ahead of the threat actors.  Imagine your anti-malware net stops 100 of these attacks, all it takes is one to get into your system and ruin it.

You can learn more information on Rorschach at Check Point Research here.

Britec Helps
At Britec, we stay on the pulse of information security and all our clients are patched and protected. If you have been impacted and need help, please contact us.