New Rorschach Ransomware: The Fastest Encryptor

Home/BOTNET, Compromised, Data Breach, Exploitation, malicious cyber actors, Malware, Ransomware/New Rorschach Ransomware: The Fastest Encryptor

New Rorschach Ransomware: The Fastest Encryptor

A sophisticated and fast ransomware family, dubbed Rorschach, has emerged in the threat landscape. The ransomware was spotted for the first time when deployed against a U.S.-based company. Its uniqueness lies in its ability to encrypt files on targeted systems in just four minutes and thirty seconds.

Rorschach Ransomware

The ransomware is easily customizable. Some other ransomware families also provide this feature; ransomware operators can use optional arguments to modify the ransomware’s behavior to suit their needs. It also has some unique features that are uncommon in ransomware, like the use of direct syscalls.

Upon execution, Rorschach ransomware attempts to stop a predefined list of services from systems.

  • It deletes shadow volumes and backups using legitimate Windows tools to make the recovery process difficult. 
  • When executed on a Windows Domain Controller, the ransomware automatically creates a Group Policy to spread itself to other machines within the domain.
  • Rorschach employs a combination of the curve25519 and eSTREAM cipher hc-128 algorithms to effectively encrypt the files.

According to the researchers, Rorschach’s encryption routine demonstrates a highly effective implementation of thread scheduling via I/O completion ports.

Once it successfully infiltrates a system, Rorschach removes event logs from the Application, Security, System, and Windows PowerShell

The ransomware also stops various services, deletes system backups, and disables the Windows firewall to evade detection by running processes in SUSPEND mode, which results in falsified arguments. However, researchers stated that these options are concealed and cannot be accessed without reverse engineering.


The indicators of compromise include the files used in the execution of the Rorschach ransomware:

Cy[.]exe (PA Cortex Dump Service Tool)


Winutils.dll (Loader and injector into notepad[.]exe)

Hash: 4a03423c77fe2c8d979caca58a64ad6c

Config.ini (Encrypted ransomware payload)

Hash: 6bd96d06cd7c4b084fe9346e55a81cf9

By | 2023-04-06T22:31:34+05:30 April 6th, 2023|BOTNET, Compromised, Data Breach, Exploitation, malicious cyber actors, Malware, Ransomware|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!