7 Apr. (Portaltic/EP) –
Researchers have identified a ‘malware’ called Rorschach, which offers a high level of customization and it stands out for being one of the fastest strains in terms of the speed of its encryption.
The Incident Response Team of the cybersecurity company Check Point (CPIRT) has found this malicious software when responding to a ransomware case against a US-based company.
In their research, the professionals found a unique ransomware strain capable of being deployed using a signed component of Palo Alto Network’s Crotex XDR. According to Check Point, this method “not commonly used to load ‘ransomware’, therefore it reveals a new approach taken by cybercriminals to evade detection”, as explained in a press release.
Unlike other ransomware cases, the threat author does not hide behind an alias and does not appear to be affiliated with any of the known ransomware groups. Thus, his behavior suggests that is partially autonomous and it propagates automatically when running on a Domain Controller (DC) while clearing event logs from affected machines.
On the other hand, the researchers have ensured that this ‘malware’ is “extremely flexible”, since it operates not only based on a built-in configuration that allows it to change its behavior according to the needs of the operator.
They have also pointed out that although it seems to have been inspired by some of the best-known ‘ransomware’ families, it also contains unique features, such as the use of direct syscallsthat is, calls to communicate with the kernel of the system.