Fast and unique: Rorschach ‘raises the bar’ for ransomware

6 Apr 2023

Image: © artistmef/

The ransomware appears to have taken the best features from other variants, along with anti-analysis and evasion techniques.

A new form of ransomware has been discovered that exhibits unique, customisable features, along with one of the fastest encryption speeds yet.

A new report by Check Point Research claims that this new ransomware – dubbed Rorschach – shares no overlaps or branding that can link it to any other ransomware strain. The report said Rorschach was recently deployed against a US-based company.

The analysis of this new ransomware suggests that it is partially autonomous, spreading itself automatically when executed on a domain controller.

Rorschach also appears to be “extremely flexible”, being capable of changing its behaviour to suit a hacker’s needs thanks to “numerous optional arguments”.

The threat actor who used the malware used no alias and showed no affiliation to known ransomware groups, which are rare occurrences according to Check Point.

The report suggests Rorschach has taken inspiration from other infamous ransomware variants, but also contains unique functionalities that are “rarely seen among ransomware”.

The team named the malware after the famous test because “each person who examined the ransomware saw something a little bit different”.

Fast and evasive

Among its many unique features, Check Point said Rorschach is one of the “fastest ransomware observed” based on its encryption speed.

The team tested the ransomware’s encryption speed with Lockbit, a notoriously fast encryptor. Rorschach’s average encryption speed was 270 seconds, while Lockbit’s was 420 seconds.

“What’s even more noteworthy is that the Rorschach ransomware is highly customisable,” the Check Point report said. “By adjusting the number of encryption threads via the command line argument, it can achieve even faster times.

The report suggests that this new malware has taken some of the best features from other ransomware variants and “integrated them all together”.

Rorschach also displays anti-analysis and evasion techniques to avoid detection, which also make it harder for software and researchers to analyse and mitigate its effects.

“In addition to Rorschach’s self-propagating capabilities, this raises the bar for ransom attacks,” the report said. “The operators and developers of the Rorschach ransomware remain unknown.”

Cybercriminals are constantly finding new ways to improve their methods of attack. Last month, Check Point Research found that the AI model GPT-4 can help hackers streamline their cybercrime activities.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic