Overview

An emerging ransomware variant, named ‘Rorschach’, was recently identified as being deployed against an organisation located in the USA. Upon analysis, the ransomware has many unique features, such as the use of direct syscalls, while sharing no significant attributes with alternative ransomware strains. Moreover, the ransomware is not branded, a feature uncommon among reputable ransomware groups.

A behavioural analysis of Rorschach has indicated that the ransomware conducts some of its objectives in an automated fashion when executed on a domain controller (DC), while clearing the event logs of the target machines. Such objectives include creating a domain group policy object (GPO). In other ransomware attacks, such as those involving the deployment of LockBit 2.0, threat actors achieve this distribution by manually creating group policies on the DC that are then executed by workstations on the network. Rorschach applies the same technique but creates the group policies automatically. The ransomware was initially observed as being deployed via Dynamic-Link Library (DLL) side-loading of a Cortex XDR Dump Service Tool, a loading method which is not commonly used to load ransomware.

One of the most notable traits of Rorschach ransomware is the speed at which the malware conducts encryption. Encryption speeds have been estimated to be approximately 220,000 local drive files within a time of four minutes and 30 seconds, compared to the equivalent for LockBit 3.0, with a time of seven minutes. Rorschach uses a hybrid cryptography scheme that combines the elliptic curve cryptography using curve25519 with a stream cipher called HC-128 that’s part of the eSTREAM portfolio, along with more widely used ciphers such as ChaCha20 and Salsa20.

These factors allow for the assessment that Rorschach is currently one of the fastest ransomware variants being deployed in the wild. As is the case with the LockBit ransomware family, Rorschach avoids targets in certain geographic locations by reviewing the system language settings of the ransomware platform. This involves a list of a languages used in the 12 current, former, or founding Member States of the Commonwealth of Independent States (CIS). This is in relation to the implicit sanctions of the Russian authorities that exist to allow the threat activity of a group to occur, on the conditional basis that they attack foreign targets. This is a typical strategy of malware created by developers of CIS members (former Soviet Union nations) so that the associated ransomware gangs avoid facing any penalty from inside the CIS, provided they avoid attacking its organisations.