Rorschach is a highly customizable ransomware strain recently uncovered by Checkpoint Security that shares no known overlap with currently known ransomware brands or strains. Behavioral analysis of the ransomware shows that it is partially autonomous and will spread across an environment without user input once executed on a Domain Controller. In a lab environment, Rorschach will exit if the system language belongs to one in the Commonwealth of Independent States (CIS). Rorschach has been seen injecting itself into Notepad.exe to provide a layer of stealth before using the Windows API “CryptGenRandom” to employ multiple highly efficient encryption schemes that result in drastically lower times to complete. For example, LockBit Version 3 has an average time of 7 minutes to completely encrypt a host, comparatively, Rorschach took 4 minutes and 30 seconds on average to completely encrypt a victim machine. It is also worth noting that due to Rorschach’s high degree of customization options, faster speeds are possible.
Ransomware attacks have always demanded immediate action, with each minute being crucial in stopping the attack before a network has been completely compromised. Unfortunately, Rorschach has drastically accelerated the timeline for these attacks, demanding faster response times and stronger preventative measures. In the worst-case scenario, having a strong disaster recovery plan that accounts for a compromised Domain Controller can pay massive dividends. Due to its speed, Rorschach demonstrates the importance of detections that act as a last line of defense for blue teams. A Managed Detection and Response service like the one offered by Binary Defense can offer critical coverage that can keep organizations aware in the worst-case scenario.