New Rorschach ransomware hits with unique features and very fast encryption

/in


Researchers warn of a new strain of ransomware dubbed Rorschach that doesn’t appear to be related to previously known threats and uses several unique features in its implementation, including one of the fastest file encryption routines observed so far.

“A behavioral analysis of the new ransomware suggests it is partly autonomous, spreading itself automatically when executed on a domain controller (DC) while it clears the event logs of the affected machines,” researchers from security firm Check Point said in a new report. “In addition, it’s extremely flexible, operating not only based on a built-in configuration but also on numerous optional arguments which allow it to change its behavior according to the operator’s needs.”

The Check Point researchers came across the ransomware strain while responding to a security incident at a US-based company. Later they realized that researchers from South Korean security firm AhnLab had previously documented a variant in February, but attributed it to the known DarkSide ransomware operation. Check Point believes this is incorrect and the confusion might be because there were similarities in the ransom notes dropped by the two threats, but not in every case. In other incidents, Rorschach dropped a ransom note similar to one used by another ransomware program, Yanluowang.

The variety in behavior exhibited by this ransomware program, which seems to have borrowed techniques and code from various other ransomware threats, led to the Check Point researchers naming it Rorschach after the popular psychological test where subjects can have different perceptions of the same inkblots shown to them.

Rorschach features DLL side-loading

In the incident investigated by Check Point, Rorschach was executed by exploiting a DLL side-loading vulnerability in a component of the Palo Alto Network’s Cortex XDR, a commercial security product. Specifically, the attackers dropped a copy of the Cortex XDR Dump Service Tool version 7.3.0.16740 together with a file named winutils.dll that serves as a loader for the ransomware.

DLL side-loading is a technique in which attackers plant a malicious DLL library with a particular name…

Source…