Rorschach Ransomware: The Fastest Strain to Date

What is Rorschach Ransomware?

Earlier this year (2023), researchers discovered a new ransomware strain called Rorschach (pronounced ROAR-shahk), which appears to have unique encryption features, making it the fastest ransomware threat known to date. Rorschach uses a new encryption method called ‘intermittent encryption’, which involves encrypting only a portion of each file, thereby rendering it unreadable. This speeds-up the encryption process, leaving less time for organizations to detect and respond to an infection, thus increasing its likelihood of success. This new strain appears to have implemented the best features of other leading ransomware strains, making it one of the most dangerous strains out there.

The malware was discovered following a cyberattack on a US-based company, in which the hackers deployed the ransomware after leveraging a weakness in the Cortex XDR threat detection and incident response tool. Rorschach uses the DLL side-loading technique via a signed component in Cortex XDR, and the main payload is protected against reverse engineering and detection using virtualization. The malware creates a Group Policy to propagate to other hosts on the domain and erases four event logs to wipe its trace. After locking the system, Rorschach drops a ransom note similar in format to the Yanlowang ransomware. The identity of the ransomware’s operators remains unknown, and there is no branding, which is rare in the ransomware scene.

How To Protect Yourself from Rorschach Ransomware

While the Rorschach encryption process may be faster, the techniques used to prevent Rorschach attacks are essentially the same as those used to prevent infections from common strains such as Locky, Cerber and Cryptolocker. These techniques include;

1. Strict Access Controls: Access controls help to restrict access to important information and systems only to authorized individuals, reducing the chances of cybercriminals sneaking in and installing ransomware. Role-based access control (RBAC) and attribute-based access control (ABAC) are two types of access controls that can help organizations to keep ransomware attacks at bay. RBAC restricts access to systems based on the role of the user, while ABAC sets access rules based on user attributes like job title, department, and location.

2. Strong Password Policies: Cybercriminals often use brute force methods to crack weak passwords, giving them access to sensitive data and systems. Implementing a strong password policy that requires complex combinations of letters, numbers, and symbols can significantly increase the security of an organization’s network. Industry standards like NIST 800-63B provide guidelines and best practices for creating strong passwords. It is essential for organizations to stay updated on these standards and regularly update their password policies accordingly to guard against ransomware attacks.

3. Multi-Factor Authentication (MFA): By requiring users to provide more than one form of authentication, such as a password and a security token, Multi-Factor Authentication (MFA) significantly reduces the risk of unauthorized access to sensitive data and applications. Ransomware attacks often exploit weak or stolen passwords to gain access to systems, networks, and accounts, which can then be used to encrypt files and demand payment. By implementing MFA, organizations can significantly improve their security posture and mitigate the risk of ransomware attacks. Organizations should educate their employees on the importance of MFA and ensure that it is configured correctly and updated regularly to eliminate vulnerabilities and mitigate potential threats.

4. Zero-Trust Architecture: Zero trust is a security framework that assumes that all systems, users, and applications are inherently untrustworthy. The zero trust model employs a segmented network architecture that ensures that even if one part of the network is infected with ransomware, the attack cannot propagate to other parts of the network. Additionally, the zero trust security framework implements multi-factor authentication, access controls, and data encryption to ensure that only authorized users can access sensitive data.

5. Penetration Testing: Penetration testing is an effective way to identify vulnerabilities within an organization’s network. Pen-testing involves simulating an attack on an organization’s systems to identify weak points that cybercriminals could exploit. Pen-testers will utilize the same methods and tools that real hackers use to gain access to a system but without causing any damage. By identifying vulnerabilities and taking the necessary measures to fix them, organizations can reduce the risk of a ransomware attack.

6. Reliable Backups: By storing a copy of important data and files in an alternate location, such as a cloud-based system or an external hard drive, businesses can restore their systems and recover lost data in the event of a ransomware attack, without having to paying the ransom.

7. Security Awareness Training: Security awareness training is an essential practice that can help to prevent ransomware attacks within organizations. This includes educating employees about the dangers of ransomware, how it can infect the company’s systems, and the steps they need to take to avoid falling prey to such attacks. Employees should also know how to identify suspicious emails or links that may lead to an infection.

8. Threshold Alerting: Threshold alerting is an advanced security feature that can be used to help prevent ransomware attacks from spreading. It works by watching out for specific threshold conditions relating to user activity, such as the number of files that are encrypted, renamed or copied, or the number of login attempts made. When a threshold condition is met, the system automatically alerts administrators, who can then take action to mitigate the threat and prevent the ransomware from spreading further. Alternatively, a custom script can be executed which may disable a specific account or process, change the firewall settings, or simply shut down the affected systems.