A sophisticated and fast ransomware family, dubbed Rorschach, has emerged in the threat landscape. The ransomware was spotted for the first time when deployed against a U.S.-based company. Its uniqueness lies in its ability to encrypt files on targeted systems in just four minutes and thirty seconds.
The ransomware is easily customizable. Some other ransomware families also provide this feature; ransomware operators can use optional arguments to modify the ransomware’s behavior to suit their needs. It also has some unique features that are uncommon in ransomware, like the use of direct syscalls.
Upon execution, Rorschach ransomware attempts to stop a predefined list of services from systems.
- It deletes shadow volumes and backups using legitimate Windows tools to make the recovery process difficult.
- When executed on a Windows Domain Controller, the ransomware automatically creates a Group Policy to spread itself to other machines within the domain.
- Rorschach employs a combination of the curve25519 and eSTREAM cipher hc-128 algorithms to effectively encrypt the files.
According to the researchers, Rorschach’s encryption routine demonstrates a highly effective implementation of thread scheduling via I/O completion ports.
Once it successfully infiltrates a system, Rorschach removes event logs from the Application, Security, System, and Windows PowerShell.
The ransomware also stops various services, deletes system backups, and disables the Windows firewall to evade detection by running processes in SUSPEND mode, which results in falsified arguments. However, researchers stated that these options are concealed and cannot be accessed without reverse engineering.
The indicators of compromise include the files used in the execution of the Rorschach ransomware:
Cy[.]exe (PA Cortex Dump Service Tool)
Winutils.dll (Loader and injector into notepad[.]exe)
Config.ini (Encrypted ransomware payload)