securium academy logo

New Ransomware Rorchach Attacks

Researchers at a cybersecurity company Check Point discovered ransomware during an investigation of a ransomware attack on a US company.  New Ransomware  Rorschach Attacks is one of the fastest ransomware and out speeds even the notorious LockBit 3 due to its unique techniques. For example, instead of encrypting the entire file, it encrypts only a specific portion of the file. This renders the file unreadable

Rorschach targets primarily small to medium-sized companies except for those countries which are part of CIS (Commonwealth of Independent States). The malware checks the system languages to determine the country. Countries such as Russia, Armenia, Kazakhstan, and Uzbekistan are part of the CIS.

While there are similarities with some of the different ransomware, there is no personal branding or sufficient overlap to link Rorschach with any of the known ransomware groups.

Rorschach used sideloading to trigger the ransomware execution. The .dll files are generally shared libraries used by legitimate services. Sideloading is replacing genuine .dll with a malicious .dll file which are called and executed by legitimate services.

Rorschach had been deployed by sideloading the “winutils.dll.” library in the Cortex XDR Dump Service Tool (cy.exe). “winutils.dll” contains a Rorschach loader and injection which are used to decrypt “config.ini” that contains the payload of the ransomware. This “config.ini” is injected into the running notepad process and the encryption of files begins.

Rorschach also deletes shadow volumes and any backups, kills certain services, disables Windows firewall, and deletes both logs as well as itself once the encryption is completed. Moreover, if the Rorschach is executed on a Domain Controller it creates a Group Policy in order to spread itself to all machines in the domain.

Rorschach can be customized to define the number of threads, set time before activation, set specific locations to encrypt, set custom locations for loader or configuration file, not to delete itself at the execution, and not to create a ransom note.

Table of Contents