A new and highly effective ransomware family, Rorschach, has been discovered by cybersecurity firm Check Point. It is highly configurable and contains unique features that set it apart from other malware families. It has been observed making at least one victim in the US, and its operators have no affiliation with known ransomware groups.
Rorschach’s execution relies on three files: cy.exe, winutils.dll, and config.ini. The ransomware spawns multiple processes and provides falsified arguments to them in order to stop specific processes, delete shadow volumes and backups, clear Windows event logs, and disable the Windows firewall. Additionally, if executed on a domain controller, the malware creates a group policy that allows it to automatically spread to other machines on the domain.
Rorschach also includes safeguards to prevent analysis, and its operators can control the ransomware remotely. To avoid detection, the malware terminates itself if it detects languages used in the CIS countries.
The most impressive feature of Rorschach is its ‘highly effective and fast hybrid-cryptography scheme’ that makes it one of the fastest ransomware families out there. In a controlled speed test, Rorschach encrypted 220,000 files in four minutes and a half. Check Point also identified several similarities between Rorschach and other ransomware families, including Babuk, LockBit, and Yanlowang.
Cybersecurity firms warn that Rorschach is a highly effective and fast ransomware family, and urge users to stay vigilant against ransomware attacks. Companies should also consider implementing solutions such as Cortex XDR and endpoint protection to detect and prevent ransomware attacks.
Key points:
• Rorschach is a newly identified and highly effective ransomware family
• It is highly configurable, contains unique features, and is one of the fastest ransomware families out there
• Rorschach is capable of automatically spreading itself if executed on a domain controller
• It includes safeguards to prevent analysis and terminates itself if it detects languages used in the CIS countries
• Check Point identified several similarities between Rorschach and other ransomware families
• Companies should consider implementing solutions such as Cortex XDR and endpoint protection to detect and prevent ransomware attacks