Check Point Research (CPR) has announced that it has detected a new form of ransomware that encrypts nearly twice as quickly as Lockbit and is more sophisticated than traditional ransomware.
Nicknamed ‘Rorschach’ by the CPR team, it combines tactics from multiple well-known attacks plus new unique features for maximum damage and evasion from cyber security solutions. The nickname comes from the ransomware’s ability to be highly customizable: the Rorschach test is a psychological technique in which perceptions of inkblots are recorded and then analyzed - the same inkblot can be seen in many different ways.
Rorschach was deployed using DLL side-loading of Palo Alto Network’s Cortex XDR Dump Service Tool, a signed commercial security product. This loading method is not commonly used to load ransomware, and reveals a new approach taken by cybercriminals to evade detection. The vulnerability that allowed the deployment of Rorschach was properly disclosed to Palo Alto Networks by CPR.