Ransomware has always been a cat-and-mouse game, with attackers constantly seeking to improve their speed and organizations working tirelessly to stay one step ahead. The speed at which ransomware campaigns are executed can often make or break the success of an attack, which is why even ransomware-as-a-service (RaaS) platforms advertise their speed as a selling point to prospective affiliates. LockBit, one of the most successful ransomware groups, has even listed its encryption speed in comparison to its competitors to showcase its advantage. In short, speed is a critical factor on both sides of the ransomware battle.
However, there’s a new player in town that has managed to surpass LockBit’s encryption speed. Introducing Rorschach, one of the newest ransomware variants that has officially claimed the title of “encryption speed king” from LockBit 3.0. This variant, which was first detected in April 2023, is a customized strain of the Babuk ransomware code. Rorschach’s exceptional speed warrants a closer look at how ransomware creators are pushing the boundaries of speed across various dimensions of their victims’ environment.
One key component of speed is the ability to propagate malware quickly and efficiently. In the past, ransomware groups have employed various techniques such as supply chain attacks and utilizing existing IT and security tools to spread their malware rapidly. However, Rorschach has introduced a unique self-propagating and autonomous capability that leverages Active Directory (AD) Domain Group Policy Objects (GPO). This allows the malware to swiftly spread across the network and execute ransomware on every endpoint at incredible speeds. This innovation has taken self-propagation to new heights. To combat this, organizations must adopt tools that can actively defend against self-propagation and detect attackers in real time.
Another critical aspect of speed is the encryption of data for extortion purposes. Rorschach’s creators have strategically chosen HC-128, a stream cipher known for its impressive performance in encrypting large streams of file data. The ransomware uses the asymmetric key exchange method based on Curve25519, which balances computational performance, memory consumption, and security. Like other ransomware strains, such as LockBit and Babuk, Rorschach employs intermittent encryption by encrypting only parts of a file instead of the entire contents. This tactic significantly reduces the time required for data encryption, giving security tools less opportunity to detect the attack. Ransomware operators are shortening the encryption phase to improve their odds in the race against defenders. Rorschach also utilizes parallelism and multithreading for high-performance encryption, borrowing techniques from well-known ransomware groups like LockBit 3.0, REvil, Hive, BlackMatter, and DarkSide.
While the speed rankings among ransomware gangs are fascinating, it’s important to note that most modern ransomware variants already perform data encryption at a rapid pace, surpassing the capabilities of many security teams and tools. However, Rorschach currently does not appear to engage in double extortion by exfiltrating data, unlike other ransomware gangs such as LockBit, which typically exfiltrate large amounts of data before initiating the encryption process. Data exfiltration is the invisible race against defenders, and Rorschach’s focus on speed seems to be solely centered on data encryption.
To stay under the radar of defenders, Rorschach employs advanced security evasion techniques, including deception technology. This technique allows the ransomware to hide its true capabilities by using obfuscation techniques, valid domain user and service accounts, and argument spoofing. While this defense evasion technique is new to ransomware threats, it has been used in the cybersecurity world to combat various types of attacks. Defenders need solutions that can detect and respond to real-time, novel, and autonomous ransomware capabilities, especially in light of Rorschach’s use of AD GPOs and high-speed campaigns for self-propagation.
In conclusion, Rorschach ransomware has borrowed innovations from successful ransomware groups such as LockBit, Babuk, and REvil and taken speed to a new level. This variant highlights the need for continuous innovation on the part of defenders and the importance of countering attacker movement in real time. The race to stay ahead in the ransomware battle has never been more crucial, with both attackers and organizations striving for speed and innovation in their respective endeavors.