Rorschach Ransomware Emerges: Experts Warn of Advanced Evasion Strategies


A new type of ransomware named Rorschach has been uncovered by cybersecurity experts. The virus is advanced and operates at a high speed, despite previously not being identified.

According to a recent report from Check Point Research, Rorschach distinguishes itself from other types of ransomware due to its exceptional degree of customization and technical characteristics that have not been seen in any other ransomware strain before. The report notes that Rorschach is also one of the quickest and most efficient types of ransomware ever encountered. Regarding the pace at which it encodes information.

The company that deals with protecting online security stated that it detected someone using ransomware against a company based in the United States. It was found out that there were no similarities between this particular ransomware and any previous ones known.

After examining Rorschach's source code more closely, it seems to share certain characteristics with Babuk ransomware (which experienced a data breach in September 2021) and LockBit 2.0. Additionally, the ransom notes that are being sent to victims show similarities to those used by Yanluowang and DarkSide.

A seldom used method called DLL side-loading was employed in the recent intrusion, making it incredibly noteworthy. This indicates that financial organizations resorting to such attacks have become more advanced in their techniques to avoid detection.

It has been reported that the ransomware was activated by exploiting the Cortex XDR Dump Service Tool (cy.exe) of Palo Alto Network, which enabled it to install a library called winutils.dll onto the system.

One of its distinguishing features is its ability to be extensively tailored and the utilization of direct system calls to control files and circumvent protective measures.

The Rorschach ransomware has been assigned to perform various tasks such as ending particular services, erasing shadow volumes and backups, eliminating Windows event logs to remove any traces of forensic evidence, turning off the Windows firewall, and ultimately erasing itself once its duties are accomplished.

To spread the infection, hackers gain access to the domain controller and set up a group policy. Check Point and South Korean cybersecurity firm AhnLab mistakenly attributed this method to DarkSide in February.

Similar to other types of malware found in the environment, ransomware bypasses machines situated in Commonwealth of Independent States (CIS) nations by examining the language utilized within the system.

According to researchers Jiri Vinopal, Dennis Yarizadeh, and Gil Gekker, the Rorschach ransomware uses a combination of curve25519 and eSTREAM cipher hc-128 algorithms for encryption, creating a fast and efficient hybrid-cryptography system.

The intention of this method is to encrypt only a particular part of the initial content and not the whole document, and it also utilizes further optimization techniques by the compiler to drastically increase its speed.

Check Point conducted five different tests in a supervised setting, during which they encrypted 220000 files. Using Rorschach, the encryption process was completed within an average time of four minutes and 30 seconds. Meanwhile, LockBit 3.0 required approximately seven minutes to complete the same task.

According to researchers, the creators of the program have incorporated fresh strategies for evading analysis and preventing discovery. This is intended to increase the program's resilience against security software and also to make it harder for researchers to evaluate and counter its impact.

Furthermore, it seems that Rorschach has incorporated some of the most effective components from various leaked ransomwares and combined them. Along with its ability to spread on its own, this elevates the standard for ransomware assaults.

Fortinet FortiGuard Labs has revealed two new types of ransomware, namely PayMe100USD and Dark Power. The former is a file-locking malware coded in Python, while the latter is written in Nim programming language.

Incidents of Rorschach, also known as BabLock, aggression have been noted in various countries across Asia, Europe, and the Middle East.

Group-IB, a company based in Singapore, has reported that it has detected Rorschach attacks being directed towards industrial firms as well as small and medium-sized companies in Europe, Asia and the Middle East.

The cybersecurity company has given the name BabLock to a type of ransomware due to its resemblance in source code to Babuk and LockBit. This ransomware has been detected as currently active since June 2022 and is capable of attacking both ESXi and Linux systems.

According to researchers Andrey Zhdanov and Vladislav Azersky from Group-IB, the group is able to maintain a low profile and avoid detection by operating quietly and requesting moderate ransom amounts of anywhere from $50,000 to $1 million, all without having any data leak sites.

The attackers targeted an unidentified company in Europe and utilized a vulnerability known as CVE-2022-41352 with a CVSS score of 9.8 to exploit a remote code execution flaw in the Zimbra Collaboration platform for their initial entry.

Before encrypting the data, the assailant did not steal any information but instead warned the targets to pay or risk being attacked again in the future and losing all their network data.

According to Group-IB, there are two versions of the Babuk ransomware. The Linux version is a 32-bit file written in Go 1.18.3, while the ESXi variant is a 64-bit program for Linux in ELF format compiled with GNU Compiler (GCC). Both versions derive from the leaked Babuk ransomware source code.

According to researchers, it would be more logical for those posing a threat to use a less complex program rooted in Babuk that can encrypt Windows-based systems. However, these individuals opted to create their own advanced program which differs greatly from other known ones.

Palo Alto Networks has stated in an information bulletin on April 4 that it is aware of attacks using its Cortex XDR Dump Service Tool to install the Rorschach payload. However, these attacks do not affect macOS and Linux platforms. A patch is anticipated to be released soon to fix the issue. This paragraph cannot be paraphrased as it only contains one word, "week." Please provide more context for me to be able to paraphrase your request.

The cybersecurity firm stated that the cydump.exe tool, part of the Cortex XDR agent on Windows, can allow for the loading of untrusted dynamic link libraries (DLLs) using a technique known as DLL side-loading when removed from its installation directory.

detect Rorschach ransomware, as it utilizes the same tool and strategy. Without proper endpoint protection, systems are vulnerable to this evasion tactic. The installation of Cortex XDR agent on Windows and running the Cortex XDR Dump Service Tool process from its designated location is an effective way to prevent detection of Rorschach ransomware. This technique allows for the loading of DLLs from a side angle.

Post a Comment

Previous Post Next Post