Dive Brief:
- Researchers at Check Point detected a highly sophisticated – and previously unnamed – ransomware strain which the company says may be the fastest ever, with an encryption speed almost twice as fast as LockBit. The ransomware, which Check Point dubbed “Rorschach,” was used in an attack against a U.S. company.
- The ransomware was deployed using a DLL-sideloading technique using Palo Alto Network’s Cortex XDR, which is a signed commercial security product. This technique has not commonly been used for ransomware.
- Check Point has disclosed the information to Palo Alto, which will release new versions of Cortex XDR Agent next week to prevent misuse of the software.
Dive Insight:
The Rorschach ransomware is highly customizable and has features never before seen in ransomware, Check Point said. The strain appears to be partly autonomous, and can change behavior based on the needs of the operator.
The ransomware note left behind shared some formatting that appeared similar to prior notes from Yanluowang, according to Check Point. However other variants left notes that resembled DarkSide campaigns.
“Just as a psychological Rorschach test looks different to each person, this new type of ransomware has high levels [of] technically distinct features taken from different ransomware families – making it special and different from other ransomware families,” Sergey Shykevich, threat intelligence group manager at Check Point Research, said via email.
Palo Alto said that when the Cortex XDR Dump Service tool is removed from its installation directory, it can be used to load untrusted dynamic link libraries through the DLL side-loading technique. The Rorschach ransomware uses a copy of the tool in order to evade detection on systems lacking enough endpoint detection, according to Palo Alto.
When Cortex XDR is installed on Windows and the Cortex XDR Dump Service tool is running from the installation path, the DLL side-loading technique does not work, according to Palo Alto.
