New "Rorschach" Ransomware Spread Via Commercial Product

Written by

Threat actors have deployed a new, unique ransomware strain using the Palo Alto Cortex XDR Dump Service Tool, a commercial security product. 

Dubbed Rorschach, the malware was discovered by the Check Point Research (CPR) and Check Point Incident Response Team (CPIRT) and discussed in an advisory publisher earlier today.

“Unlike other ransomware cases, the threat actor did not hide behind any alias and appears to have no affiliation to any of the known ransomware groups,” wrote CPR’s Jiri Vinopal, Dennis Yarizadeh and Gil Gekker.

“Those two facts, rarities in the ransomware ecosystem, piqued CPR’s interest and prompted us to thoroughly analyze the newly discovered malware.”

The ransomware has a self-replicating ability when executed on a Domain Controller (DC). It was also observed clearing the event logs of infected devices.

“In addition, it’s extremely flexible, operating not only based on a built-in configuration but also on numerous optional arguments which allow it to change its behavior according to the operator’s needs,” the CPR team wrote in the advisory.

“While it seems to have taken inspiration from some of the most infamous ransomware families, it also contains unique functionalities, rarely seen among ransomware, such as the use of direct syscalls.”

One of the similarities with existing ransomware families is the formatting of the ransom note, which resembles one from the Yanluowang ransomware in some instances and DarkSide in others.

Read more on Yanluowang here: Yanluowang Ransomware’s Russian Links Laid Bare

“Just as a psychological Rorschach test looks different to each person, this new type of ransomware has high-level, technically distinct features taken from different ransomware families – making it special and different from other ransomware families,” explained Sergey Shykevich, threat intelligence group manager at CPR.

According to the security expert, Rorschach is the quickest and one of the most elaborate ransomware the company has encountered.

“It speaks to the rapidly changing nature of cyberattacks and to the need for companies to deploy a prevention-first solution that can stop Rorschach from encrypting their data,” Shykevich concluded.

The CPR advisory comes weeks after CISA published its new Ransomware Vulnerability Warning Pilot (RVWP) program. 

What’s hot on Infosecurity Magazine?