Rawf8 - stock.adobe.com

Quick-acting Rorschach ransomware appears out of nowhere

Emergent Rorschach ransomware strain is highly advanced and quite unusual in its capabilities, warn researchers, who say they have been unable to link it to any other known strains

A newly detected ransomware dubbed Rorschach – so named because everybody who examined it “saw something different” – is being flagged by researchers at Check Point as an emergent and highly dangerous threat to organisations.

The research team, which first spotted it while responding to an incident at a US-based customer, said Rorschach “appears to be unique”, sharing characteristics of many other types of ransomware, including Babuk, DarkSide, LockBit and Yanluowang, but no overlaps that can link it with any degree of confidence to any other ransomware strain.

Nor is it branded, which is in and of itself quite unusual for ransomware operators, who tend not to be publicity-shy.

“Just as a psychological Rorschach test looks different to each person, this new type of ransomware has high levels of technically distinct features taken from different ransomware families – making it special and different from other ransomware families,” said Sergey Shykevich, threat intelligence group manager at Check Point.

“This is the fastest and one of the most sophisticated ransomware we’ve seen so far. It speaks to the rapidly changing nature of cyber attacks and to the need for companies to deploy a prevention-first solution that can stop Rorschach from encrypting their data.”

Among other things, the locker malware itself is highly advanced and partly autonomous, being able to carry out tasks – such as creating a domain group policy (GPO) – that are more usually done manually, on its own. It is highly customisable and contains some technically distinct features, such as the use of direct syscalls as an obfuscation technique, which are rarely observed.

Rorschach is also extremely fast-acting. In a controlled head-to-head test against LockBit 3.0 – also known as a speed demon – it took just four minutes and 30 seconds to fully encrypt 220,000 files. LockBit 3.0 took seven minutes.

DLL-side loading exploited legitimate security product

In the incident reported by Check Point, Rorschach was deployed by exploiting an issue in Palo Alto Networks’ Cortex XDR (extended detection and response) product.

The success of this technique depends on the Cortex XDR Dump Service Tool having been removed from its installation directory, in which case it can be used to load untrusted dynamic link libraries (DLLs). This is known as DLL side-loading.

Jon Miller, CEO and co-founder of anti-ransomware platform Halcyon, said: “It is... interesting to learn that the DLL side-loading delivery is abusing the Cortex XDR Dump Service Tool because this is a legitimate, digitally signed security product. This technique leverages vulnerable software to load malicious DLLs that provide persistence and evasion capabilities.

“DLL-sideloading is not new, but it is somewhat rare. It was similarly deployed by the threat actors REvil in the infamous 2021 Kaseya ransomware attack…. Downstream victims were compromised by a legitimate software update from a known vendor that was signed with a valid digital certificate.

“All the security hygiene in the world is not going to prevent a legitimate application from executing the malicious payload in this kind of attack. Thus, operational resilience is key,” he added.

Miller said detecting DLL side-loading attacks could be tricky, but defenders can get out in front of them by looking for any unsigned DLLs in executable files, or suspicious loading paths and timestamps showing gaps between the compilation time for the executable and DLL loading time. A significant difference here could indicate a malicious payload is in play. 

Palo Alto said that when the Cortex XDR agent is installed on Windows and the Dump Service Tool is running from the correct installation path, the technique cannot be used because the Cortex XDR agent’s security permissions and protections stop it in its tracks.

Cortex XDR Agent 7.7 and later versions with CU-240, which was released over two years ago, can detect and block Rorschach without issue.

“This issue does not represent a product vulnerability risk to customers using Cortex XDR agent,” said Palo Alto in an update.

However, Palo Alto said it plans to release new versions of Cortex XDR agent to prevent future possible misuse, and a new content update will be released later this month to detect and prevent the specific DLL side-loading technique used by Rorschach.

Read more about ransomware

Read more on Hackers and cybercrime prevention

Data Center
Data Management