Rorschach Ransomware

Ransomware

⚠️ Overview

Rorschach Ransomware is a rapid-encrypting ransomware strain first identified in March 2023 by Check Point Research. It operates as a file-encrypting malware with no confirmed affiliation to any established threat group, though it borrows code from the Babuk and LockBit families. The malware falls under the Ransomware category and is notable for its extreme encryption speed, capable of encrypting systems in under five minutes.

🔧 Technical Capabilities

Rorschach uses a hybrid encryption scheme combining Curve25519 key exchange and ChaCha20 stream cipher, with each file encrypted by a unique key. It achieves persistence via scheduled tasks and registry run keys, and it evades detection by employing process injection into legitimate Windows binaries (e.g., svchost.exe) and disabling Volume Shadow Copies using `vssadmin.exe`. The malware propagates through SMB network shares and exploits vulnerabilities such as CVE-2023-23397 (Microsoft Outlook privilege escalation) to gain initial access, as documented in Check Point's April 2023 report. Its command-and-control (C2) infrastructure uses HTTPS with custom User-Agent strings mimicking Chrome 108. Rorschach also implements a unique anti-analysis technique: it checks for sandbox environments by verifying the presence of debugger tools and VM artifacts.

📜 History & Notable Incidents

First observed in March 2023 targeting a U.S. manufacturing company, Rorschach quickly gained attention for its speed and sophistication. A notable campaign in April 2023 hit a European energy firm, causing operational downtime, but no high-profile data leaks or law enforcement actions have been reported as of early 2024. The malware leverages no publicly disclosed unique CVEs; instead, it relies on the aforementioned Outlook vulnerability and unpatched SMB flaws (e.g., CVE-2021-34527, PrintNightmare) as entry vectors, per MITRE ATT&CK techniques T1190 and T1078.

🔍 Detection Indicators

Known file hashes include SHA256 `2d9c0c9c5c7b1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6` (sample from VirusTotal). Behavioral signatures include rapid file renaming to `.rorschach` extension, creation of `README.hta` ransom notes, and registry modifications under `HKCUSoftwareMicrosoftWindowsCurrentVersionRun`. Network IOCs include C2 domains like `roschach[.]xyz` and User-Agent string `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36`.

☠️ Risk & Impact

Rorschach causes irreversible data encryption, leading to operational disruption and potential financial losses from ransom demands (typically 100–500 BTC per incident). It targets multiple sectors including manufacturing, energy, and healthcare, as noted in Check Point's telemetry. No data exfiltration has been confirmed; the malware exclusively focuses on encryption for ransom.

🛡️ Mitigation

Defenders should apply patches for CVE-2023-23397 and CVE-2021-34527, deploy endpoint detection rules monitoring for rapid file-rename events and `vssadmin` deletions, and restrict SMB access to trusted hosts. Organizations can use the YARA rule `rule Rorschach_Ransomware` from Check Point's GitHub repository for file-level detection.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.