Cybersecurity researchers have recently uncovered a new strain of ransomware which they argue is the fastest around.
After investigating a cyber-incident at a US company, experts at Check Point came across an unknown ransomware variant which, after a more thorough analysis, was dubbed Rorshach.
The researchers concluded Rorshach is the fastest ransomware strain around when it comes to encryption, testing the code by giving it 220,000 files on a 6-core CPU machine, to see how long it would take it to encrypt the files. Rorshach completed the task in four and a half minutes. For perspective, LockBit 3.0 previously held the record at seven minutes for the same job.
Confusing the researchers
While the ransomware’s operators are still unknown, the researchers do have a few ideas as to who might be behind it. The ransom note, they say, uses a format similar to the one used by the Yanlowang ransomware. They also said that the previous versions of malware used a ransom note similar to what DarkSide used, which tricked other researchers into believing that Rorshach was actually DarkSide.
When it comes to the ransomware’s technical specifications, the researchers found Rorshach supporting command-line arguments that can expand its functionality. However, the options are hidden, and can’t be accessed without reverse-engineering the malware. They also found that the encryptor will only go to work if it finds the target machine being configured with a language outside the Commonwealth of Independent States (CIS).
As for the encryption scheme, it’s a mix of curve25519 and eSTREAM cipher hc-12 algorithms. The malware only encrypts parts of the file, which is a practice other ransomware developers implemented, as well, to speed up the encrypting process.
Rorschach’s encryption routine suggests “a highly effective implementation of thread scheduling via I/O completion ports,” the researchers concluded.
Via: BleepingComputer (opens in new tab)