Secured integration to the future

Secured integration to the future

RORSCHACH attacks: a new threat from ransomware

PCI PIN Security

06.04.2023
Rorschach is a new type of ransomware recently discovered by cybersecurity researchers. It is considered complex, fast, and easily customizable, and it has technically unique features that have not been seen in ransomware before.
The virus uses a "DLL side loading" method to download the payload, which is rarely seen in similar attacks. The unique characteristics of Rorschach are its high customization capability and the use of direct system calls to manipulate files and bypass security mechanisms.

The ransomware can also shut down a predefined list of services, delete shadow folders and backups, clear Windows event logs to erase its traces, turn off the Windows firewall, and even delete itself after its actions are complete. The Rorschach ransomware uses a highly efficient and fast hybrid cryptographic scheme that combines curve25519 and eSTREAM cipher hc-128 encryption algorithms, making it a "speed demon".

It has been active since June 2022 and can affect ESXi and Linux systems. The malware has been found to target small and medium-sized companies and industrial firms in Asia, Europe, and the Middle East.

You can learn more about Rorschach's features in the corresponding study by Check Point Research.