Rorschach Ransomware Dissection

Researchers have spotted, threat actors have deployed a new ransomware strain using the Palo Alto Cortex XDR Dump Service Tool, a commercial security product and it’s dubbed as Rorschach

Unlike other ransomware cases, the threat actor did not hide behind any alias and appears to have no affiliation to any of the known ransomware groups. Those two facts, rarities in the ransomware ecosystem, piqued CPR’s interest and prompted us to thoroughly analyze the newly discovered malware.

The ransomware is highly customizable and contains technically unique features, such as the use of direct syscalls, rarely observed in ransomware. Moreover, due to different implementation methods, Rorschach is one of the fastest ransomwares observed, by the speed of encryption.

The ransomware has a self-replicating ability when executed on a Domain Controller (DC). It was also observed clearing the event logs of infected devices. It’s extremely flexible, operating not only based on a built-in configuration but also on numerous optional arguments which allow it to change its behavior according to the operator’s needs.

One of the similarities with existing ransomware families is the formatting of the ransom note, which resembles one from the Yanluowang ransomware in some instances and DarkSide in others.

This new type of ransomware has high-level, technically distinct features taken from different ransomware families – making it special and different from other ransomware families

Modus of Operandi

Rorschach execution uses these three files:

• cy.exe – Cortex XDR Dump Service Tool version 7.3.0.16740, abused to side-load winutils.dll
• winutils.dll – Packed Rorschach loader and injector, used to decrypt and inject the ransomware.
• config.ini – Encrypted Rorschach ransomware which contains all the logic and configuration.

Upon execution of cy.exe, due to DLL side-loading, the loader/injector winutils.dll is loaded into memory and runs in the context of cy.exe. The main Rorschach payload config.ini is subsequently loaded into memory as well, decrypted and injected into notepad.exe, where the ransomware logic begins.

The ransomware uses this technique to run the following operations:

• Attempt to stop a predefined list of services, using net.exe stop.
• Delete shadow volumes and backups to harden recovery, using legitimate Windows tools such as vssadmin.exe, bcdedit.exe, wmic.exe, and wbadmin.exe
• Run wevutil.exe to clear the following Windows event logs: Application, Security, System and Windows Powershell.
• Disable the Windows firewall, using netsh.exe

Encryption Process

It employs a highly effective and fast hybrid-cryptography scheme, which blends the curve25519 and eSTREAM cipher hc-128 algorithms for encryption purposes. This process only encrypts a specific portion of the original file content instead of the entire file. The WinAPI CryptGenRandom is utilized to generate cryptographically random bytes used as a per-victim private key. The shared secret is calculated through curve25519, using both the generated private key and a hardcoded public key. Finally, the computed SHA512 hash of the shared secret is used to construct the KEY and IV for the eSTREAM cipher hc-128.

Ransome Note

Rorschach reveals the emergence of a new ransomware strain in the crimeware landscape. Its developers implemented new anti-analysis and defense evasion techniques to avoid detection and make it more difficult for security software and researchers to analyze and mitigate its effects. It appears to have taken some of the ‘best’ features from some of the leading ransomwares leaked online and integrated them all together. The operators and developers of the Rorschach ransomware remain unknown. They do not use branding, which is relatively rare in ransomware operations.

Indicators of Compromise