Researchers at cybersecurity company have identified a new strain of ransomware, named Rorschach, that has been deployed through the DLL side-loading technique. The attack was executed using a signed component in Cortex XDR, the extended detection and response product from Palo Alto Networks. The attacker used the Cortex XDR Dump Service Tool (cy.exe) version 7.3.0.16740 to sideload the Rorschach loader and injector (winutils.dll). This resulted in the launching of the ransomware payload, “config.ini,” into a Notepad process.
The loader file of Rorschach features UPX-style anti-analysis protection. Meanwhile, the main payload is protected against reverse engineering and detection by virtualizing parts of the code using the VMProtect software. Once executed on a Windows Domain Controller, Rorschach creates a Group Policy to propagate to other hosts on the domain. After compromising a machine, the malware erases four event logs (Application, Security, System, and Windows Powershell) to wipe its trace.
The arguments
While Rorschach comes with hardcoded configuration, it also supports command-line arguments that expand its functionality. These options are hidden and cannot be accessed without reverse engineering the malware. Some of the arguments discovered by experts include:
Rorschach’s Encryption Process and Capabilities
Rorschach will start encrypting data only if the victim machine is configured with a language outside the Commonwealth of Independent States (CIS). The encryption scheme combines the curve25519 and eSTREAM cipher hc-128 algorithms and follows the intermittent encryption trend. This means that it encrypts the files only partially, lending it increased processing speed.
Experts notes that Rorschach’s encryption routine indicates “a highly effective implementation of thread scheduling via I/O completion ports.” To determine how fast Rorschach’s encryption is, experts set up a test with 220,000 files on a 6-core CPU machine. It took Rorschach 4.5 minutes to encrypt the data, whereas LockBit v3.0, considered the fastest ransomware strain, finished in 7 minutes.
The aftermath
After locking the system, the malware drops a ransom note that is similar to the format used by the Yanlowang ransomware. A previous version of the malware used a ransom note similar to what DarkSide used. This similarity is likely what caused other researchers to mistake a different version of Rorschach with DarkSide, an operation that rebranded to BlackMatter in 2021 and disappeared the same year. BlackMatter’s members then formed the ALPHV/BlackCat ransomware operation that launched in November 2021.
The assessment
Experts assesses that Rorschach has implemented the better features from some of the leading ransomware strains leaked online (Babuk, LockBit v2.0, DarkSide). Along with the self-propagating capabilities, the malware “raises the bar for ransom attacks.”
At the moment, the operators of the Rorschach ransomware remain unknown, and there is no branding, which is rarely seen on the ransomware scene.
Recap
The discovery of Rorschach is concerning, particularly because of its self-propagating capabilities and its advanced encryption process. Organizations should take necessary precautions to protect their networks from this ransomware strain and others like it. Such precautions include implementing proper security protocols, performing regular software updates, and educating employees on cybersecurity best practices. In addition, organizations should have a solid disaster recovery plan in place, including a plan for data backup and restoration in the event of an attack.
