Check Point researchers have discovered a new strain of ransomware called Rorschach, with unique characteristics that make it one of the fastest ransomware threats today.

The malware was deployed using the DLL side-loading technique via a signed component in Cortex XDR, a Palo Alto Networks detection and response product. Rorschach has self-propagating capabilities and deletes four event logs to cover its tracks.

It partially encrypts data, making it faster, and uses a highly efficient implementation of thread scheduling. Its encryption process combines the curve25519 and eSTREAM cipher hc-128 algorithms.

Rorschach’s operators remain unknown and there is no branding, which is unusual in the ransomware scene.

Indicators of Compromise

Hash
2237ec542cdcd3eb656e86e43b461cd1
4a03423c77fe2c8d979caca58a64ad6c
6bd96d06cd7c4b084fe9346e55a81cf9