TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
Summary: Cybersecurity researchers recently discovered a new ransomware strain described as a mash-up of the most effective ransomwares currently in use. Dubbed Rorschach, it received this moniker as each person who examined it saw something a little bit different, akin to the famous psychological test. Several features of this ransomware surprised researchers beyond the speed of its encryption process, including its average approximate time of encryption is minutes faster than commonly-used ransomware like LockBit. The cybersecurity researchers conducted five separate encryption speed tests in controlled environments and ran it against LockBit, writing that the ransomware was the “new speed demon in town.” Part of the ransomware is autonomous, allowing attackers to carry out tasks that they typically have to perform manually. The ransomware is also very customizable, giving attackers a wide range of tools it can deploy during incidents.
While the ransomware had a number of distinctive features, it also took inspiration from several other ransomware strains. The ransom note sent to victims resembled ones from the Yanluowang and DarkSide groups while taking some code inspiration from the leaked source code of Babuk and LockBit ransomware strains. The ransomware is able to delete backups and stop certain services like firewalls from operating, making recovery more difficult. The researchers were surprised to discover that in addition to encrypting an environment, the ransomware also uses unusual techniques to evade defense systems. The developers of the ransomware also made sure to have it run two system checks that can halt its operations based on what language the victim is using. If the language is from a Commonwealth of Independent States (CIS) country like Armenia, Azerbaijan, Kazakhstan, Russia, Ukraine, Belarus, Tajikistan, Georgia, Kyrgyzstan, Turkmenistan, Uzbekistan and Moldova, the ransomware will not run. The ransomware also has a unique encryption scheme, only encrypting portions of a file instead of the entire thing to make it more difficult to decrypt. This is part of what allows it to work faster than other ransomware encryption schemes.
NYSIC CAU Analyst Note: In a report published April 4, 2023 (weblink below), the cybersecurity company Check Point Research said Rorschach appears to be unique, sharing no overlaps that could easily attribute it to any known ransomware strain and does not have the kind of branding typical of most ransomware groups. The researchers further described it by stating this new type of ransomware has technically distinct features taken from different ransomware families, making it special and different from other ransomware families.
Check Point Research report: hxxps://research.checkpoint[.]com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/
Sources:
hxxps://www.csoonline[.]com/article/3692634/new-rorschach-ransomware-hits-with-unique-features-and-very-fast-encryption.html
hxxps://www.hackread[.]com/rorschach-ransomware-hits-us-based-companies/
hxxps://blog.checkpoint[.]com/research/what-do-the-inkblots-tell-you-check-point-researchers-unveil-rorschach-previously-unseen-fastest-ever-ransomware/
This information has been disseminated to:
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – Cyber Partners Working Group (CPWG)
NYSIC CAU Contacts – Critical Infrastructure: All
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – Private Sector
For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules,
TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/