What To Know About the Rorschach Ransomware Variant

Rorschach ransomware is one of the most recent ransomware variants that has officially dethroned LockBit 3.0 ransomware as the “encryption speed king. In the ransomware world, there has always been competition, with threat operators seeking to enhance campaign execution speed and companies always innovating to stay ahead of the attacks. Speed is important that ransomware-as-a-service (RaaS) platforms offer it to prospective ransomware affiliates. To demonstrate its advantage, LockBit, one of the most successful ransomware groups, has publicly stated its encryption speed vs. that of its competitors. On all sides of the ransomware conflict, speed is crucial.” The Rorschach variant, which is a modified strain of the Babuk ransomware code, was discovered in April 2023. Rorschach ransomware brings speed to the forefront, necessitating a closer examination of how ransomware developers increase speed across numerous aspects of their victims’ environments.

Details on the Rorschach Ransomware

The ability to quickly spread malware as far and wide as feasible is a crucial speed component. Ransomware groups have used various techniques to spread their malware quickly, including supply chain attacks and the using current IT and security tools. Rorschach ransomware, on the other hand, has created and demonstrated an intriguing self-propagating and autonomous capability that uses Active Directory (AD) Domain Group Policy Objects (GPO). It allows the malware to quickly spread throughout the networks and execute ransomware on every device. As a result of the intriguing advances for self-propagation, the Rorschach variant has pushed the needle further than ever before. To counter the innovation, companies need to implement tools that combat self-propagation, including active defense technology that identifies threat operators and deals with ransomware in real-time.

Rorschach’s developers have deliberately decided to use HC-128, a stream cipher that encrypts massive streams of file data with outstanding performance, on Windows endpoints. The asymmetric key exchange method based on Curve25519 is used by Rorschach ransomware. It’s efficient in terms of both computing performance and memory consumption while maintaining good security. Rorschach, like many other ransomware strains, including LockBit and Babuk, encrypts only sections of a file rather than the entire file’s contents. The tactic is called intermittent encryption, and it has gained popularity in recent years due to its efficiency and speed. Encrypting only a portion of a file significantly reduces the time necessary to finish the data encryption.

Ransomware operators give security tools less opportunity to identify them by shortening the encryption phase of the attack. Data encryption is the most obvious aspect of an attack, and threat operators are shrinking the window to improve their odds against defenses. While the data encryption speed ranking across ransomware groups is interesting, it’s vital to note that almost all modern ransomware variants already achieve incredibly fast data encryption. Unfortunately, they’re all far faster than most security teams or tools are equipped to deal with. Even though Rorschach ransomware outperforms competitors in some areas, it doesn’t appear to exfiltrate data for double extortion. In comparison, some ransomware groups, including Lockbit, first exfiltrate companies’ data. Even though data encryption is the obvious component of a ransomware attack, data exfiltration is the unseen battle against defenses. Before initiating data encryption, ransomware perpetrators often exfiltrate massive amounts of data for double extortion.

One of Rorschach’s most inventive tactics is its ability to remain undetected by utilizing deception technology, a double-edged sword that can be used by both threat operators and defenders. Rorschach’s extensive security evasion skills use deception tactics and concepts for malicious objectives, including obfuscation techniques, valid domain user and service accounts, and argument spoofing techniques to conceal the ransomware’s true capabilities. This defense evasion is new to ransomware threats, however, it’s not new in the cybersecurity world. Defenders require technologies that can identify and respond to real-time, unique, and autonomous ransomware capabilities to defeat Rorschach’s techniques for self-propagation using AD GPOs and high-speed campaigns. Rorschach ransomware used innovations from previously successful ransomware groups, including LockBit, Babuk, and REvil, and capitalized on their success by introducing lightning-fast advancements. The Rorschach ransomware variant emphasizes the significance of continual defender innovation and the need to counterattack threat operators’ movements in real-time.

With the latest ransomware variant, the Rorschach ransomware, increasing cyberattack execution speed on data encryption, it’s important for companies to always remain vigilant of the latest threat landscape and regularly update their data network security infrastructure. At SpearTip, our technical tabletop exercises are designed to review current IR policies and procedures by engaging your team in specific scenarios that test their analytical and remediation capabilities in the event of an incident. Our cybersecurity awareness training is designed to educate individuals and companies about best cybersecurity practices and to provide the knowledge and skills necessary to protect their systems and data from cyber threats. By providing cybersecurity awareness training, companies, and their employees can better understand the risks of the cyber landscape and develop impactful cybersecurity practices that can reduce the likelihood of cyberattacks. Cybersecurity awareness training is an essential component of any comprehensive strategy to protect sensitive information, such as personal data, financial information, or intellectual property, and to prevent data breaches, system downtime, and other negative consequences that can result from cyberattacks. Our ShadowSpear Platform, an integrable managed detection and response tool, uses detection engines powered by artificial intelligence (AI) and attack tactics, techniques, and procedures (TTP) models to detect malicious activity day-one.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.