Rorschach: Unique & Highly Effective New Ransomware
April 5th, 2023 |
A new ransomware strain named “Rorschach” has been identified by cybersecurity researchers. Rorschach stands out because of its highly effective file-encrypting routine, making it one of the fastest ransomware families. It can spread automatically across networks, causing widespread damage. Unlike other ransomware strains, Rorschach does not appear to be linked to any known malware groups, suggesting it may be the work of a new, independent actor.
Upon execution, Rorschach takes several actions to maximize its impact, including stopping processes, deleting backups, clearing event logs, and disabling the Windows firewall. One of its most notable features is its “highly effective and fast hybrid-cryptography scheme,” which allows it to encrypt files quickly. Rorschach has claimed at least one victim in the US, highlighting the urgent need for proactive protection measures.
Many cyber insurance carriers strongly recommend and even mandate Acreto for high-risk customers. Acreto provisions in minutes and deploys in a few hours.
The Acreto platform addresses the Rorschach and other ransomware challenges by:
- Eliminating the Internet attack surface
- Eliminating the internal attack surface through segmentation
- Advanced file controls that prevent the download of file types such as .exe, .dll, .msi and .scr used by malware
- implementing inline SSL/TLS Decrypt
- Implementing inline threat detection and mitigation for all communications.
Technical Data:
Rorschach ransomware is executed through three files: cy.exe, winutils.dll, and config.ini. First, cy.exe, the Cortex XDR Dump Service Tool, is executed to side-load winutils.dll, which acts as a loader and injector. Then, winutils.dll loads config.ini, which contains the Rorschach ransomware itself, into memory and injects it into notepad.exe.
Once Rorschach ransomware is running, it spawns multiple processes and provides falsified arguments to them. These processes carry out various malicious actions, such as stopping specific functions, deleting shadow volumes and backups, clearing Windows event logs, and disabling the Windows firewall. These actions are designed to maximize the impact of the ransomware and make it more difficult for victims to recover their encrypted files.
About Acreto
Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.