Home SECURITY Ransomware that encrypts data faster than you can react

Ransomware that encrypts data faster than you can react

Ransomware that encrypts data faster than you can react


Rorschach: Ransomware That Encrypts Data Faster Than You Can React

A new player in cyberspace has already taken the crown from LockBit.

The world of ransomware has always been competitive, with attackers trying to improve the speed of their attacks, and organizations constantly defending themselves against them. Speed ​​is so important RaaS-platforms (Ransomware-as-a-Service, ransomware as a service) attract potential affiliates by showing the speed of their campaigns.

LockBit, one of the most successful ransomware groups, has publicly demonstrated its advantage over competitors in terms of encryption speed. But now a new player has appeared on the market – Rorschach, who took away the title of “king of encryption speed” from LockBit 3.0.

Rorschach is one of the new ransomware variants that has been first discovered in April 2023 by Check Point cybersecurity researchers . Rorschach is a modified version of the Babuk ransomware code. The Rorschach attracts attention with its high speed, which is a critical factor for attackers and defenders alike. Cybersecurity experts highlight several aspects in which Rorschach is ahead of other ransomware.

Malware spread rate

One important component of speed is the ability to quickly spread malware as widely as possible. In the past, cybercriminals have used various techniques to spread quickly, including attacks on the supply chain and the use of existing cybersecurity tools.

However, Rorschach has an interesting self-propagation and standalone feature that uses domain GPOs Active Directory (AD GPO). This allows malware to quickly spread across the network and launch ransomware on every end device at a staggering rate. With this, Rorschach has pushed the frontiers further than ever with such interesting self-propagation methods.

To counter such methods, organizations need tools that fight self-proliferation. This could be, for example, active protection technology that deals with ransomware in real time and detects intruders as early as possible.

Data encryption speed for extortion

On Windows end devices, the creators of Rorschach have carefully chosen the HC-128 stream cipher, which encrypts large data streams with impressive performance. Rorschach uses an asymmetric key exchange method based on Curve25519. The method is efficient both in terms of computational performance and memory consumption, while maintaining a high level of security.

Like many ransomware variants, including LockBit and Babuk, Rorschach only encrypts parts of a file, not all of its content. This technique is called discontinuous encryption, which has become popular in recent years for its efficiency and speed.

Encrypting only parts of a file significantly reduces the encryption time. By reducing the encryption phase, hackers make it harder to detect their malicious activity. Data encryption is the visible part of the attack, and attackers are shrinking that window to improve their chances against defenders.

Like LockBit and other notorious ransomware, Rorschach also uses parallelism and multithreading for high performance and fast encryption. Because Rorschach’s implementation is tailored to each type of operating system, it uses input/output (I/O) completion ports for efficient multithreaded encryption. This technique is borrowed from LockBit 3.0, REvil, Hive, BlackMatter and DarkSide.

It is important to note that almost all modern ransomware variants already perform data encryption very quickly. Unfortunately, they are all much faster than information security specialists or security tools.

Although Rorschach is ahead of the competition in terms of speed, the ransomware does not currently steal data for double extortion, unlike LockBit, which first steals enterprise data and then encrypts it.

Ability to bypass detection

One of Rorschach’s features is its ability to bypass detection using obfuscation techniques, valid user accounts and domain services, and argument substitution techniques to hide the ransomware’s true capabilities.

This bypass is new to ransomware, but not to cybersecurity. To combat Rorschach’s self-propagating technique using AD GPOs and high-speed encryption, defenders need solutions that can detect and respond to new and offline ransomware capabilities in real time.


Source link



Please enter your comment!
Please enter your name here