Cybersecurity Snapshots #43 - Rorschach Ransomware

Cybersecurity Snapshots #43 -

Rorschach Ransomware

New ransomware variants are emerging, with one new one officially taking the "encryption speed king" title from LockBit 3.0. Speed is so decisive that ransomware-as-a-service (RaaS) platforms advertise the speed of execution for prospective ransomware affiliates. The Rorschach ransomware variant was discovered by researchers at Check Point and was first detected in April 2023. It is a customized strain of the Babuk ransomware code. The researchers noted that one important speed component is the ability to quickly spread malware as far and wide as possible. In the past, ransomware gangs have leveraged many techniques for fast propagation, including supply chain attacks and using existing IT and security tools to propagate their malware. However, the researchers noted that Rorschach has built and demonstrated an interesting self-propagating and autonomous capability that leverages Active Directory (AD) Domain Group Policy Objects (GPO). This enables the malware to rapidly propagate across the network and execute ransomware on every endpoint at blistering speeds.

Researchers at Check Point have found that on Windows endpoints, Rorschach's creators have carefully chosen to use HC-128, a stream cipher that encrypts large streams of file data with impressive performance. Rorschach ransomware uses the asymmetric key exchange method, which is based on Curve25519. The researchers noted that it is efficient in both computational performance and memory consumption while simultaneously retaining strong security. Like many other ransomware strains, including LockBit and Babuk, Rorschach encrypts only parts of a file instead of the entire file's contents. This tactic is known as intermittent encryption, which has become popular in the last couple of years for its efficiency and speed. The researchers noted that encrypting only parts of the file dramatically reduces the time required to complete the data encryption. By shortening the encryption phase of an attack, ransomware operators give security tools less opportunity to detect them. The researchers stated that data encryption is the visible part of an attack, and attackers are shortening that window to better their odds in the race against defenders. Like other ransomware, Rorschach also leverages parallelism and multithreading for high-performance speedy encryption. Because Rorschach ransomware implementation is customized for each operating system type, it leverages specific Windows capabilities known as I/O completion ports for efficient multithreaded encryption. The researchers noted that this technique is borrowed from LockBit 3.0, REvil, Hive, BlackMatter, and DarkSide. Researchers at Check Point found that while Rorschach does outpace competitors in speed in some realms, it currently does not appear to exfiltrate data for double extortion.

The researchers stated that one of Rorschach's particularly innovative moves is its ability to stay under the radar by using deception technology. Rorschach's advanced security evasion capabilities leverage deception techniques and concepts for malicious purposes, including using obfuscation techniques, valid domain user and service accounts, and argument spoofing techniques to hide the true capabilities of the ransomware.

Experts are warning that to combat Rorschach's technique for self-propagation using AD GPOs and high-speed campaigns, defenders need solutions that can detect and respond to real-time, novel, and autonomous ransomware capabilities. The Rorschach variant demonstrates the importance of continuous defender innovation, as well as the need to counter attacker movement in real-time.