Check Point researchers have discovered a new strain of ransomware called Rorschach, with unique characteristics that make it one of the fastest ransomware threats today.
The malware was deployed using the DLL side-loading technique via a signed component in Cortex XDR, a Palo Alto Networks detection and response product. Rorschach has self-propagating capabilities and deletes four event logs to cover its tracks.
It partially encrypts data, making it faster, and uses a highly efficient implementation of thread scheduling. Its encryption process combines the curve25519 and eSTREAM cipher hc-128 algorithms.
Rorschach’s operators remain unknown and there is no branding, which is unusual in the ransomware scene.
Indicators of Compromise