How dangerous is the mysterious Rorschach ransomware?
Researchers uncover a new strain of malware with unusual features
Check Point Research (CPR) uncovered a mysterious, new strain of ransomware. What stands out most, is that it’s completely unbranded, very unusual for the ransomware ecosystem where reputation is everything. It also boasts faster encryption speeds than any other strain before and has rare, unusual features compared to others.
What do you see in the inkblots?
This new strain of ransomware is unusually customisable, allowing users to deploy it how they want. Researchers uncovered elements of code taken from the LockBit ransomware strain but also from other strains such as Babuk and Darkside, with many describing it as a “Frankenstein” of sorts.
For this reason, it has been named the Rorschach ransomware. Since who wrote it, who uses it and just where it fits into the ransomware market are all open to interpretation.
“Just as a psychological Rorschach test looks different to each person, this new type of ransomware has high levels technically distinct features taken from different ransomware families — making it special and different from other ransomware families,” said Sergey Shykevich, threat intelligence group manager at CPR.
“The fastest ever ransomware”
It’s making headlines for it’s encryption speeds, almost twice as fast as the LockBit ransomware strain.
“The faster a ransomware can move through the encryption process, the more likely the attack will be completed before a security team can respond,” said Allan Liska, threat intelligence analyst and solutions architect at Recorded Future.
This is why early threat detection and prevention is so important.
But what many are saying is more dangerous than it’s impressive encryption speed are it’s evasion techniques.
“In a competitive cybercriminal market, threat actors will read threat intelligence about how malware works and use that insight to build better tools more capable of evading defences,” said Hanah-Marie Darley, head of threat research at Darktrace.
Rorschah uses DLL sideloading. Basically, an attacker places a malicious DLL in the same folder as a trusted program, essentially hijacking this trusted program to inject malware undetected. While not unheard of, it’s very rare for ransomware to use this technique and it’s very hard to defend against.
It also clears Windows event logs on infected machines and disables firewalls to remain undetected. It even deletes backups so that you can’t restore your data.
To defend against it, organisations should deploy a defence-in-depth strategy involving multiple layers and methods of detection, such as endpoint protection, behaviour monitoring and traffic profiling.
So how dangerous is it?
Researchers are pointing out how Rorschach is a step-forward for ransomware. What was once teenage pranks from mum’s basement is now a thriving industry with professional, competitive software. Researchers at CPR have said it has “raised the bar for ransomware.”
It’s highly flexible, allowing attackers to deploy it how they want. Automation of manual processes mean it’s capable of worming it’s way through networks without user input. Researcher at CPR described it as “the fastest and one of the most sophisticated ransomware we’ve seen so far.”
Experts are warning against ransomware complacency, and Rorschach perfectly highlights how ransomware is still a serious and evolving threat.
While it has been confirmed to have hit at least one US company, no other victims have come forward yet. This leaves us largely in the dark as to the extent of the damage it is capable of. But ransomware is a long, multi-staged process, often taking months, encryption only happens at the end. So there are most definitely organisations that are infected right now, who just don’t know it yet, waiting for the ransom demands to show up on screen.