Experts warn of fast-encrypting ‘Rorschach’ ransomware

A new ransomware strain has alarmed cybersecurity researchers, who describe it as a mash-up of the most effective ransomwares currently in use.

Researchers at Israeli cybersecurity firm Check Point called the new ransomware “Rorschach” and said their incident response team discovered it while investigating an attack involving a U.S.-based company.

Sergey Shykevich, threat intelligence group manager at Check Point Research, told The Record that Rorschach is “the fastest and one of the most sophisticated ransomware we’ve seen so far.”

The reason why the researchers named it Rorschach is because each person who examined it saw something a little bit different, akin to the famous psychological test.

“Just as a psychological Rorschach test looks different to each person, this new type of ransomware has technically distinct features taken from different ransomware families – making it special and different from other ransomware families,” Shykevich said.

In a report published Tuesday, the company said Rorschach appears to be unique, sharing no overlaps that could easily attribute it to any known ransomware strain and does not have the kind of branding typical of most ransomware groups.

There are several features that surprised researchers beyond the speed of its encryption process — its average approximate time of encryption is minutes faster than commonly-used ransomware like LockBit. They conducted five separate encryption speed tests in controlled environments and ran it against LockBit, writing that the ransomware was the “new speed demon in town.”

Part of the ransomware is autonomous, allowing attackers to carry out tasks that they typically have to perform manually. The ransomware is also very customizable, giving attackers a wide range of tools it can deploy during incidents.

In the incident Check Point handled, the attackers deployed the ransomware using a signed component of a commercial security product – something atypical of ransomware attacks.

But the attack was strange to the responders. The hackers did not hide behind an alias and did not have an affiliation to any other group. The ransomware automatically spread itself throughout a system and cleared the event logs of infected devices.

Similarities and differences

While the ransomware had a number of distinctive features, it also took inspiration from several other ransomware strains. The ransom note sent to victims resembled ones from the Yanluowang and DarkSide groups while taking some code inspiration from the leaked source code of Babuk and LockBit ransomware strains.

The ransomware is able to delete backups and stop certain services like firewalls from operating, making recovery more difficult. The researchers were surprised to discover that in addition to encrypting an environment, the ransomware also uses unusual techniques to evade defense systems.

The developers of the ransomware also made sure to have it run two system checks that can halt its operations based on what language the victim is using. If the language is from a Commonwealth of Independent States (CIS) country like Armenia, Azerbaijan, Kazakhstan, Russia, Ukraine, Belarus, Tajikistan, Georgia, Kyrgyzstan, Turkmenistan, Uzbekistan and Moldova, the ransomware will not run.

The ransomware also has a unique encryption scheme, only encrypting portions of a file instead of the entire thing to make it more difficult to decrypt. This is part of what allows it to work faster than other ransomware encryption schemes.

“Our analysis of Rorschach reveals the emergence of a new ransomware strain in the crimeware landscape. Its developers implemented new anti-analysis and defense evasion techniques to avoid detection and make it more difficult for security software and researchers to analyze and mitigate its effects,” the researchers said.

“The operators and developers of the Rorschach ransomware remain unknown. They do not use branding, which is relatively rare in ransomware operations.”

Recorded Future ransomware expert Allan Liska said most of the new ransomware variants he sees have some code recycling in it, but Rorschach looks like it's almost brand new.

“That means it's probably an experienced ransomware group that's branching out into something new,” he said. “Whenever you see something this sophisticated, it means there's money and resources behind it, which likely means we’ll see more activity from this group.”