Rorschach test.
N2K logoApr 5, 2023

New ransomware uses an extremely fast encryption routine.

Rorschach test.

Check Point is tracking a new strain of ransomware called “Rorschach,” which “is one of the fastest ransomware observed, by the speed of encryption.”

Ransomware uses DLL sideloading.

The researchers note that “the ransomware was deployed using DLL side-loading of a Cortex XDR Dump Service Tool, a signed commercial security product, a loading method which is not commonly used to load ransomware.” Check Point notified Palo Alto Networks, and Palo Alto stated, “Palo Alto Networks has verified that Cortex XDR 7.7, and newer versions, with content update version 240 (released November, 2021), and later content updates, detect and block the ransomware. A new content update will be released next week to detect and prevent the usage of this DLL side-loading technique.”

Industry comment on Rorschach.

Jon Miller, CEO and co-founder of Halcyon, offered the following observations on the ransomware:

"While the Rorschach ransomware's fast encryption speed is incredibly interesting and garnering lots of attention, it's not the most interesting feature evaluated in the analysis. What stands out even more is that Rorschach displays advanced security evasion capabilities to make payload delivery undetectable, which is far more concerning than the fast encryption speed. 

"With fast encryption, once the ransomware payload is delivered and the operation is exposed, responders have less time to intervene. RaaS providers tout their encryption speed to attract affiliate attackers, and it definitely makes this ransomware strain one to watch. However, it is more interesting to learn that the DLL side-loading delivery abusing the Cortex XDR Dump Service Tool because this is a legitimate, digitally signed security product. This technique leverages vulnerable software to load malicious DLLs that provides persistence and evasion capabilities. 

"DLL-sideloading is not new, but it is somewhat rare. It was similarly deployed by the threat actors REvil in the infamous 2021 Kaseya ransomware attack, targeting a managed service provider to deploy a ransomware payload in a supply chain attack. As we saw in the case of Kaseya, downstream victims were compromised by a legitimate software update from a known vendor that was signed with a valid digital certificate. 

"All the security hygiene in the world is not going to prevent a legitimate application from executing the malicious payload in this kind of attack. Thus, operational resilience is key.  

"Detecting DLL side-loading attacks is tricky, but SOC analysts can look for any unsigned DLLs within executable files, or for any suspicious loading paths and timestamps that show gaps between the compilation time for the executable and DLL loading time. Every executable has a timestamp for when it was compiled. If that timestamp is significantly different than the loaded DLLs, this could indicate a malicious payload."