Rorschach, a highly sophisticated ransomware strain, stands out most for its ability to encrypt data more quickly than other known strains and evade advanced security detection, according to ransomware researchers and experts.
The first iteration of the ransomware strain, which was detected by Check Point and deemed the “fastest ever ransomware” last week, carries autonomous propagation capabilities when executed on a Windows domain controller, according to Jon Miller, CEO and co-founder of Halcyon.
The novel ransomware strain used DLL side-loading in an initial attack on an unnamed U.S. company to abuse the dump service tool in Palo Alto Networks’ Cortex XDR, a legitimate and digitally signed security product.
Palo Alto Networks said it will release new versions of Cortex XDR to prevent the misuse of its software and confirmed versions of the agent running a content update earlier than CU-240 on Windows are affected. The cybersecurity vendor updated its security advisory on Wednesday to inform customers that content update CU-910 further detects and prevents the DLL side-loading technique.
A spokesperson for Palo Alto Networks said the company will continue to share updates as necessary.
Hanah-Marie Darley, head of threat research at Darktrace, described Rorschach as “Frankenstein ransomware” due to its customization features that allow threat actors to augment its behavior, a direct result of a thriving ransomware as a service ecosystem.
“In a competitive cybercriminal market, threat actors will read threat intelligence about how malware works and use that insight to build better tools more capable of evading defenses,” Darley said via email.
“These attacks also tend to use living off the land techniques and quiet intrusion elements, which are unlikely to be present in templated kill chain playbooks for most threats,” Darley said.
Faster encryption speed ramps up pressure
The speed of Rorschach’s encryption caught the attention of many ransomware observers.
“The faster a ransomware can move through the encryption process, the more likely the attack will be completed before a security team can respond,” Allan Liska, threat intelligence analyst and solutions architect at Recorded Future, said via email.
This highlights the need for organizations to detect threats early, even after intrusion or lateral movement, to catch and stop a ransomware attack from causing further damage.
Ransomware as a service providers tout encryption speed to attract affiliates, which makes Rorschach a ransomware strain to watch. But advanced security evasion capabilities are more concerning than encryption speed, Miller said.
DLL side-loading is not a new technique, but it’s rare in ransomware attacks and an incredibly difficult attack technique to defend against, according to Miller. The technique was used by REvil in the 2021 ransomware attack against Kaseya.
“While Rorschach does advertise itself as totally new, there are components of other ransomware strains incorporated into its code,” Liska said. “This is not surprising as many ransomware groups reuse parts of other ransomware to build their own.”
Novelty aside, the potential impact and victims claimed by Rorschach remains unknown. Multiple samples have been posted to VirusTotal and other malware repositories, but no victims have been publicly identified thus far, Liska said.
It’s also important to note that ransomware comes in many forms, and encryption doesn’t typically occur, if at all, until the later stages of an attack.
“Since these are longer, multistage operations, it is likely that there are some Rorschach attacks underway that have not been detected yet," Miller said, "and most targets only discover they have been hit when the attackers deploy the ransomware payload and reveal themselves via the ransom note.”