Researchers warn of a new strain of ransomware dubbed Rorschach that doesn't appear to be related to previously known threats and uses several unique features in its implementation, including one of the fastest file encryption routines observed so far.
“A behavioral analysis of the new ransomware suggests it is partly autonomous, spreading itself automatically when executed on a domain controller (DC) while it clears the event logs of the affected machines,” researchers from security firm Check Point said in a new report. “In addition, it’s extremely flexible, operating not only based on a built-in configuration but also on numerous optional arguments which allow it to change its behavior according to the operator’s needs.”
The Check Point researchers came across the ransomware strain while responding to a security incident at a US-based company. Later they realised that researchers from South Korean security firm AhnLab had previously documented a variant in February, but attributed it to the known DarkSide ransomware operation. Check Point believes this is incorrect and the confusion might be because there were similarities in the ransom notes dropped by the two threats, but not in every case. In other incidents, Rorschach dropped a ransom note similar to one used by another ransomware program, Yanluowang.
The variety in behavior exhibited by this ransomware program, which seems to have borrowed techniques and code from various other ransomware threats, led to the Check Point researchers naming it Rorschach after the popular psychological test where subjects can have different perceptions of the same inkblots shown to them.
Rorschach features DLL side-loading
In the incident investigated by Check Point, Rorschach was executed by exploiting a DLL side-loading vulnerability in a component of the Palo Alto Network’s Cortex XDR, a commercial security product. Specifically, the attackers dropped a copy of the Cortex XDR Dump Service Tool version 126.96.36.19940 together with a file named winutils.dll that serves as a loader for the ransomware.
DLL side-loading is a technique in which attackers plant a malicious DLL library with a particular name that they know a legitimate application will attempt to load into memory on execution. This technique is increasingly used to evade behavioral detection by deploying a legitimate file along with the malicious DLL on compromised systems instead of attacking an already installed application.
Most security programs monitor for file execution events, but if the executed file is a known and trusted application, they might skip inspecting the subsequent DLL loading events. In this case, the Cortex XDR Dump Service Tool was digitally signed and loaded the winutils.dll file, which in turn loaded the contents of a file called config.ini into memory, decrypted them, and injected them into the memory of the legitimate notepad.exe process. The config.ini file contains the Rorschach ransomware.
Once running, the ransomware code attempts to stop a predefined list of services using the net.exe stop command; to delete volume shadow copies and other backups by using vssadmin.exe, bcdedit.exe, wmic.exe and wbadmin.exe; to clear several Windows event logs related to applications, security, system and PowerShell by using the wevutil.exe tool; and to disable the Windows firewall using netsh.exe.
Self-distribution and self-protection
As with other modern ransomware threats, the payload is meant to be executed on the domain controller after attackers already gain access to it using other methods and lateral movement techniques. Domain controllers are targeted because attackers can use their privileged roles on networks to push the ransomware program to all domain-joined systems, ensuring maximum impact and disruption.
In other ransomware attacks, for example, those using LockBit 2.0, attackers achieve this distribution by manually creating group policies on the domain controller that are then executed by workstations on the network. Rorschach uses the same technique but creates the group policies automatically.
First, it copies its own files into the scripts folder of the domain controller, then it creates a group policy that copies those files into the %Public% folder of all workstations. A second policy is created that will kill a predefined list of processes on those systems via a scheduled task that calls taskkill.exe and yet another group policy creates a scheduled task that executes the Rorschach with specific arguments every time a user logs in.
The ransomware program uses several techniques aimed at preventing its code from being analysed and detected. The winutils.dll uses non-standard UPX packing that requires manual unpacking to analyse and can't be done with automated tools that security solutions usually include. Then when the ransomware payload is injected into notepad.exe it's protected by VMProtect, which means the code is virtualised and lacks an IAT table, which makes automated in-memory analysis harder.
During operation, instead of leveraging direct Windows API calls that might be monitored, the Rorschach ransomware relies on syscalls. This technique, which is clearly designed to evade detection, is not new but is not commonly seen in ransomware programs.
The ransomware code separately performs a system language check and if it matches languages used in Commonwealth of Independent States (CIS) countries, it stops execution. This is typical of malware created by developers from former Soviet Union countries who don't want their malicious programs to hit organisations too close to home in the hope this will keep local law enforcement off their tail.
Very fast file encryption with unusual cipher
Many ransomware programs rely on the AES stream cipher for file encryption and RSA public-key cryptography to encrypt the AES file encryption keys in a way where only attackers can decrypt them and provide them to victims. This is a tried and tested implementation but is not necessarily the fastest option.
However, according to the Check Point researchers, Rorschach uses a hybrid cryptography scheme that combines the elliptic curve cryptography using curve25519 with a stream cipher called HC-128 that's part of the eSTREAM portfolio, along with more widely used ciphers such as ChaCha20 and Salsa20.
“This process only encrypts a specific portion of the original file content instead of the entire file,” the Check Point researchers said. “The WinAPI CryptGenRandom is utilised to generate cryptographically random bytes used as a per-victim private key. The shared secret is calculated through curve25519, using both the generated private key and a hardcoded public key. Finally, the computed SHA512 hash of the shared secret is used to construct the KEY and IV for the eSTREAM cipher hc-128.”
The ransomware also uses compiler optimisations and makes efficient use of thread scheduling via I/O completion ports resulting in highly fast encryption. In Check Point's tests on a system with 6 CPUs, 8GB RAM, and an SSD with 220.000 files, the Rorschach completed its file encryption routine in 4 minutes and 30 seconds compared to seven minutes for LockBit v3 – one of the ransomware programs with the fastest file encryption routine.
The researchers found similarities between the Rorschach file encryption routine and that used by a ransomware program called Babuk whose source code was leaked online. However, Babuk uses curve25519 combined with HC-256 instead of HC-128. There are additional similarities to Babuk in other parts of the ransomware, suggesting its authors copied some of the leaked code, but also drew some inspiration from LockBit v2.0.
“Rorschach appears to have taken some of the ‘best’ features from some of the leading ransomwares leaked online, and integrated them all together,” the researchers said. “In addition to Rorschach’s self-propagating capabilities, this raises the bar for ransom attacks. The operators and developers of the Rorschach ransomware remain unknown. They do not use branding, which is relatively rare in ransomware operations.”