New Emerging ransomware: RORSCHACH
April 6th, 2023 - Written By CyberLabs
One of the fastest-encrypting ransomware strains, known as “Rorschach,” has been identified by security experts. It has also demonstrated sophisticated evasion skills in attacks across the globe. The ransomware was swiftly identified as an especially effective and seemingly unrelated strain after it was discovered during an attack on the Windows environment of an undisclosed US-based company.
Rorschach was described as “one of the fastest ransomware out there” by Check Point Research in a blog post because of its remarkable optimization and sophisticated cryptography technique. Rorschach was able to encrypt 220,000 files in 270 seconds during controlled encryption experiments, which is 150 seconds quicker than the allegedly “fastest” ransomware, LockBit 3.0.
Combining the curve25519 and hc-128 algorithms allows for this, encrypting only portions of data for more effective encryption. The finest code fragments from a variety of other ransomware strains seem to be combined in Rorschach. Researchers from Check Point and Group-IB discovered that Rorschach’s classes for renaming encrypted machine files appear to have been lifted from LockBit 2.0, while the code it employs to kill services is identical to that found in Babuk ransomware.
Aside from its advanced cryptography, the strain follows a typical malware pattern of operation. It kills the firewall, turns off some services to escape detection, and deletes shadow volumes to stop file recovery. Although the ransom note in a different variant of Rorschach discovered by AhnLab was closer in structure to the DarkSide group, the ransom notes that researchers found on infected systems borrowed the structure from those found in attacks by Yanluowang.
Rorschach, identified by Group-IB as “BabLock,” was observed in assaults against industrial targets in Europe, Asia, and the Middle East in January 2023. The malware left unharmed devices that were written in Russian and other languages that were widely spoken in post-Soviet regions.
Source
https://www.group-ib.com/blog/bablock-ransomware/
https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/
