Security researchers are concerned about a new ransomware strain that they characterise as a hybrid of the most potent ransomwares currently in use.
Researchers from the Israeli cybersecurity company Check Point named the new ransomware "Rorschach" and claimed their incident response team came across it while looking into an attack on a U.S.-based corporation.
Rorschach is "the fastest and one of the most sophisticated ransomware we've seen so far," according to Sergey Shykevich, threat intelligence group manager at Check Point Research.
Each person who looked at it saw something slightly different, similar to the renowned psychological test, which is why the researchers termed it Rorschach.
“Just as a psychological Rorschach test looks different to each person, this new type of ransomware has technically distinct features taken from different ransomware families – making it special and different from other ransomware families,” Shykevich stated.
The company stated in a research released on Tuesday that Rorschach looks to be unique, sharing no overlaps that might easily attribute it to any known ransomware strain and does not have the kind of branding common of most ransomware groups.
Researchers were taken aback by a number of characteristics in addition to how quickly it encrypted data on average, which was several minutes faster than other regularly used ransomware like LockBit. They tested LockBit through five different encryption performance tests in controlled settings, claiming that the ransomware was the "new speed demon in town."
Because a portion of the ransomware is autonomous, attackers can complete operations that would normally need manual labour. Due to the ransomware's high degree of adaptability, attackers can use a broad variety of methods when handling situations.
In the incident that Check Point handled, the attackers used a signed component of a commercial security product to distribute the ransomware, which is unusual for ransomware attacks.
But the responders found the attack odd. The hackers had no affiliations with any other groups and did not use aliases to conceal their identities. Automatically spreading throughout a system and erasing compromised devices' event logs were two features of the ransomware.
Similarities and distinctions
The malware was unique in several ways, but it also borrowed ideas from a number of earlier ransomware variants. The ransom note that was issued to victims mirrored those from the Yanluowang and DarkSide organisations and borrowed some of its code from the Babuk and LockBit ransomware strains' exposed source code.
In order to make recovery more challenging, the ransomware has the ability to erase backups and disable some services, such as firewalls. The fact that the ransomware not only encrypts an environment but also employs novel strategies to get beyond security measures shocked the researchers.
Additionally, the ransomware's creators made sure to include two system checks that, depending on the victim's chosen language, can block its operations. The ransomware will not function if the language is one from a member of the Commonwealth of Independent States (CIS), such as Armenia, Azerbaijan, Kazakhstan, Russia, Ukraine, Belarus, Tajikistan, Georgia, Kyrgyzstan, Turkmenistan, Uzbekistan, or Moldova.
The ransomware also uses a special encryption method that makes it more challenging to decode files by just encrypting a piece of them rather than the whole item. This helps it operate more quickly than previous malware encryption techniques.
“Our analysis of Rorschach reveals the emergence of a new ransomware strain in the crimeware landscape. Its developers implemented new anti-analysis and defense evasion techniques to avoid detection and make it more difficult for security software and researchers to analyze and mitigate its effects,” the researchers explained. "The operators and developers of the Rorschach ransomware remain unknown. They do not use branding, which is relatively rare in ransomware operations."
