Check Point researchers have discovered a new strain of ransomware called Rorschach, with unique characteristics that make it one of the fastest ransomware threats today.

The malware was deployed using the DLL side-loading technique via a signed component in Cortex XDR, a Palo Alto Networks detection and response product. Rorschach has self-propagating capabilities and deletes four event logs to cover its tracks.

It partially encrypts data, making it faster, and uses a highly efficient implementation of thread scheduling. Its encryption process combines the curve25519 and eSTREAM cipher hc-128 algorithms.

Rorschach’s operators remain unknown and there is no branding, which is unusual in the ransomware scene.

Indicators of Compromise