Security researchers have discovered one of the fastest-encrypting ransomware strains, dubbed 'Rorschach', which has also displayed sophisticated evasion capabilities in attacks around the world.
The ransomware was detected in an attack against an undisclosed US-based company’s Windows environment, and quickly identified as a particularly efficient and apparently unaffiliated strain.
Check Point Research published details on Rorschach in a blog post, describing it as “one of the fastest ransomware out there” due to its impressive optimisation and sophisticated cryptography method.
In encryption tests within a controlled environment, Rorschach was able to encrypt 220,000 files in 270 seconds, a full 150 seconds faster than the self-proclaimed “fastest” ransomware LockBit 3.0.
This is achieved with a mix of the curve25519 and hc-128 algorithms, through which it encrypts only sections of files for more efficient encryption.
Researchers speculated that Rorschach is capable of even greater speeds through adjustments to its command line argument, cementing it as the new threat where encryption times are concerned.
Rorschach appears to contain the best code snippets from a range of other ransomware strains.
Both Check Point and Group-IB researchers noted that the code Rorschach uses to kill services is identical to that found in Babuk ransomware, while the classes it uses to rename encrypted machine files appear to have been lifted from LockBit 2.0.
Aside from its cryptographic sophistication, the strain operates in a standard pattern for ransomware. It disables certain services to avoid detection, kills the firewall, and deletes shadow volumes to prevent file recovery.
Ransom notes that researchers found on infected systems have borrowed the structure from those found in attacks by Yanluowang, though the ransom note in a different variant of Rorschach identified by AhnLab was closer structure to the DarkSide group.
The notes demonstrated that the threat actors behind Rorschach have a strong command of English, setting them apart from other groups such as LockBit whose notes comprise broken English sentences.
The group does not use threats of double extortion in its notes, simply urging companies to pay or be attacked again.
Rorschach is tracked by Group-IB as ‘BabLock’, and in January 2023 was tracked in attacks against industrial targets across Europe, Asia, and the Middle East.
Devices in Russian and other languages dominant in post-Soviet territories were left unharmed by the ransomware.
RELATED RESOURCE
The near and far future of ransomware business models
What would make ransomware actors change their criminal business models?
“We believe that the group BabLock is not related to any particular RaaS affiliate programme and that it performs 'quiet' occasional attacks using proprietary ransomware,” stated Group-IB in a blog post.
Unusual features within Rorschach have made it difficult to detect and root out once identified.
It uses the ‘syscall’ instruction to directly call on system APIs to dodge antivirus software. The strain is also partly autonomous, and was found to self-propagate when executed on a Windows Domain Controller through the creation of group policies to spread to all connected workstations, much like LockBit 2.0.
Initial analysis of Rorschach was hindered by the quality of the obfuscation that its developers used to shield its code, another indication of its creators’ skill.
Reverse-engineered samples revealed a hidden list of arguments that can be passed to Rorschach to control its actions, such as whether it self-deletes, which paths to delete, or whether the sample requires a password to operate.
Check Point noted that its list of arguments is not exhaustive, and that other found arguments implied that Rorschach is capable of operating across networks.
The strain’s adaptability is what led Check Point to dub it ‘Rorschach’, with researchers having noted that “each person who examined the ransomware saw something a little bit different”.
Having operated for some months undetected, and without a clear self-identifcation, it is not clear whether Rorschach will expand its operations or seek to adopt double extortion methods.
At present, researchers have urged IT administrators to continue following best practices, and remain vigilant against this aggressive new strain.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field dayNews February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware groupNews The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
-
The Zservers takedown is another big win for law enforcementNews LockBit has been dealt another blow by law enforcement after Dutch police took 127 of its servers offline
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
