A sophisticated and fast ransomware family, dubbed Rorschach, has emerged in the threat landscape. The ransomware was spotted for the first time when deployed against a U.S.-based company. Its uniqueness lies in its ability to encrypt files on targeted systems in just four minutes and thirty seconds.
Looking into the attack campaign
CheckPoint researchers highlight that ransomware attacks using Rorschach have been reported in Asia, Europe, and the Middle East.
- It is highly customizable and uses direct syscalls, a rarely observed feature in ransomware.
- The ransomware is deployed by exploiting the DLL side-loading vulnerability in the Cortex XDR Dump Service tool.
- It is believed that Rorschach is built from the leaked source code of Babuk ransomware and takes some feature inspiration from LockBit 2.0 ransomware.
- After encrypting files, the ransomware sends out a ransom note to the victim in a format that matches that of the Yanluowang ransom note.
Modus operandi
Upon execution, Rorschach ransomware attempts to stop a predefined list of services from systems.
- It deletes shadow volumes and backups using legitimate Windows tools to make the recovery process difficult.
- When executed on a Windows Domain Controller, the ransomware automatically creates a Group Policy to spread itself to other machines within the domain.
- Rorschach employs a combination of the curve25519 and eSTREAM cipher hc-128 algorithms to effectively encrypt the files.
Another new ransomware in the spotlight
The crimeware landscape has also witnessed the emergence of another new ransomware dubbed PayMe100USD lately.
- Written in Python, the ransomware is distributed via fake Bing installers.
- Once executed, it encrypts files in the D, E, and F drives and the user directory in the C drive. After encryption, it drops eight ransom notes, labeled ‘PayMe 1.txt’ to ‘PayMe 8.txt.’
- As the name suggests, the ransomware asks victims to pay $100 worth of Bitcoin within 48 hours to recover the affected files.
Conclusion
Researchers claim that threat actors behind the Rorschach ransomware have implemented some of the techniques such as self-propagating capabilities that raise the bar for ransom attacks. While the operators remain unknown, organizations can leverage the IOCs associated with the ransomware to understand its attack activities. Coming to PayMe 100USD, it is observed that the ransomware has basic functionality and can be thwarted by using good antivirus solutions and monitoring tools.i9
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/d90f_shutterstock_1384018715.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/4237_shutterstock_2174569001.jpg)
