HQ/EMEAFind out how we can help your business
Researchers discovered a new malware operation that uses the Rorschach ransomware for data encryption. Based on the report, this newly emerging threat initially appeared in the United States after targeting a company.
This ransomware possesses a unique skill to encrypt a targeted file in under four minutes and thirty seconds. Analysts believe that the encryption speed of the Rorschach operation is the fastest among its peers.
The Rorschach ransomware has now infected different countries from multiple continents.
Numerous researchers have spotted the Rorschach ransomware targeting different countries from regions such as the Middle East, Europe, and Asia.
In addition, recent samples of the ransomware strain show that it is highly customisable and utilises direct syscalls. The latter functionality is a very uncommon feature in a ransomware strain.
The latest study about the ransomware explained that its operators could deploy it by exploiting the DLL side-loading flaw in the Cortex XDR Dump Service tool. Some researchers claim that Rorschach came from the leaked source code of Babuk and drafted some of its devices from the LockBit 2.0 ransomware.
The ransomware operators then deploy a ransom note to the victim in a format that resembles the Yanluowang ransomware group.
Experts noticed that Rorschach ransomware’s modus operandi starts by trying to stop a predefined list of services from the targeted systems upon execution. Subsequently, it removes shadow copies and backups using actual Windows tools to make the recovery process of the encrypted files more difficult.
After executing it on a Windows Domain Controller, the ransomware develops a Group Policy to distribute to other devices within the domain. The Rorschach ransomware also uses curve25519 and eSTREAM cipher hc-128 protocols to encrypt targeted files.
Cybersecurity experts believe that the Rorschach ransomware threat operators have adopted some of the strategies from other ransomware operations. Some of these tactics are self-propagation, which raises the standard for malicious activities.
Organisations could leverage the IOCs connected with the ransomware group to understand its attack process since the operators of this newly emerged threat are still unknown.
