Fraud Management & Cybercrime , Ransomware

Rorschach Ransomware Opts for Speed and Stealth, Not Hijinks

Not every ransomware group operates with a larger-than-life persona designed to scare victims into immediately acceding to bogeyman extortionists' demands.

See Also: Value Drivers for an ASM Program

Compared to the ego-fueled soap opera antics and rampant self-promotion seen with the likes of LockBit, REvil - aka Sodinokibi - and Conti, some groups prefer to work on the sly by eschewing data leak sites and communicating with victims directly. Doing so makes their efforts tougher for law enforcement to track and disrupt.

Enter a recently discovered type of ransomware known as both Rorschach and BabLock, which researchers say is notable for its stealth - it has been active since at least June 2022 - as well as its speed, relatively low ransom demands and borrowing from other strains of crypto-locking malware.

The malicious code "does not exhibit any clear-cut overlaps with any of the known ransomware groups but does appear to draw inspiration from some of them," said researchers at Check Point Research, which looked at the malware and dubbed it Rorschach.

"Each person who examined the ransomware saw something a little bit different, prompting us to name it after the famous psychological test," security researchers said in their report, published Tuesday.

Rorschach is a speed demon, thanks in part to some elegant coding, avoiding many file types and using partial or intermittent file encryption, the Check Point researchers said. It handled sample data that took 7 minutes for LockBit version 3 to encrypt in only 4 minutes and 30 seconds, they said. Faster encryption helps criminals avoid detection by defenders until it's too late.

Details of Rorschach were first publicized in January by Andrey Zhdanov, chief malware analyst and threat hunter with the data forensics and incident response team at Group-IB, which discovered the malware during an incident response engagement at a European industrial firm it declined to name.

Multiple versions of Rorschach appear to be in circulation. Last month, South Korean cybersecurity company AhnLab published an analysis of ransomware that it described as being a DarkSide variant, in part because it uses a ransom note similar to that used by that group, which went dark in May 2021.

Check Point says that in fact this appears to be a Rorschach variant because even though "it was carried out through different means, the ransomware described in the report triggers an almost identical execution flow." Some other versions of Rorschach instead use a ransom demand that more resembles the note used by Yanluowang ransomware, they said.

Based on uploads of Rorschach to VirusTotal as well as its own incident response engagements, Group-IB says the malware appears to have hit organizations in at least Austria, France, Hong Kong, India, Indonesia, Italy, Kuwait, Luxembourg and the United States.

Group-IB says initial ransom demands have ranged from $50,000 to $1 million. In its ransom note, Rorschach doesn't threaten to leak data - only to attack victims again if they fail to pay. This is consistent with how other more "quiet" ransomware groups often operate, Group-IB's Zhdanov told Information Security Media Group; they communicate with victims via email or an instant messaging system, such as Tox.

Such groups "often do not steal the data of victims, and also, their earnings are more modest - compared to more prominent ransomware groups" and thus "more stable," he said. "For example, victims of these sorts of ransomware groups are often able to negotiate a significant reduction in the ransom demand."

Group-IB's codename for the ransomware is BabLock, owing to its technical similarities to Babuk and LockBit 2.0. For the Linux version, "the ransomware was developed based on the source code of Babuk for ESXi, which was made public in September 2021, and is virtually identical to the original," Group-IB analysis said in a report published Tuesday.

For the Windows version, BabLock uses Windows Group Policy Objects - group policy settings - to access hard drives and launch the ransomware, much like LockBit 2.0, they found. While BabLock's Linux components were compiled in June 2022, all of the Windows components were compiled in 2021.

The researchers found that like many types of ransomware run by Russian-speaking groups, including LockBit, Rorschach is designed to review the system and deactivate if it is set to use Russian or languages spoken in neighboring countries that were once a part of the Soviet Union.