Data Exfiltration Attacks with Some Ransomware in the Mix


April 12, 2023

World map

Early analysis of the recently discovered Rorschach ransomware strain indicates it may be the fastest ransomware strain - taking the title from LockBit 3.0 - with an encryption speed almost twice as fast.

While the Rorschach ransomware's super-fast encryption speed is concerning and obviously garnering lots of attention, it's not the most interesting feature evaluated. Faster encryption speed means that once the ransomware payload is delivered and the operation is exposed, responders have less time to intervene. RaaS providers tout their encryption speed to attract affiliate attackers, and it definitely makes this ransomware strain one to watch.  

But what stands out as particularly unique and potentially more concerning about this strain of ransomware is that Rorschach displays advanced security evasion capabilities to make payload delivery undetectable.  

This first iteration of Rorschach is pretty advanced, displaying autonomous propagation capabilities when executed on a Windows Domain Controller (DC). It is also interesting to see DLL side-loading abusing the Cortex XDR Dump Service Tool in some of the early attacks because this is a legitimate, digitally signed security product.

This technique leverages vulnerable software to load malicious DLLs that provides persistence and evasion capabilities. DLL-sideloading is not a new technique, but it is somewhat rare - especially in ransomware attacks. The technique was used by REvil in the infamous 2021 Kaseya attack where they targeted the managed service provider to deliver a ransomware payload to their customers by way of a supply chain attack.  

As we saw in the case of Kaseya, downstream victims were compromised by a legitimate software update from a known vendor that was signed with a valid digital certificate. This is an extremely difficult attack technique to defend against.  

SOC analysts can look for any unsigned DLLs within executable files or for suspicious loading paths, as well as timestamps that show gaps between the compilation time for the executable and DLL loading time. Loading paths for legitimate executables generally include clear references to a product name, whereas a malicious DLL may have a generic path name, so analysts can look for these clues as well.  

Every executable has a timestamp for when it was compiled. If that timestamp is significantly different than the loaded DLLs, this could indicate a malicious payload. Attackers can make detection even more difficult by using timestomping techniques to modify the timestamps.  

Rorschach just recently emerged, and the first analysis appears to have come from an incident response at an unnamed US company. So far there have not been any reports of a major attack against a large organization. This is possibly due to several factors, the first being that like any software release, the developers are evaluating its performance and fixing any issues, so they may go after smaller targets first for testing purposes.  

As well, today's more complex ransomware operations are multi-staged attacks, where the threat actors are looking to infiltrate as much of the targeted network as possible, exfiltrating sensitive data along the way. They threaten to expose the stolen data to put more pressure on the victim to pay the ransom demand and receive the decryption key to restore their systems, In some cases the attackers will demand an additional payment for the stolen data in addition to the initial ransom.  

There is a lot of focus on the delivery of the ransomware payload, but this occurs at the end of the attack sequence and the damage has already been done to the targeted organization.

“Since these are longer, multistage operations, it is likely that there are some Rorschach attacks underway that have not been detected yet,” Jon Miller, CEO and co-founder of Halcyon, told Cybersecurity Dive. “And most targets only discover they have been hit when the attackers deploy the ransomware payload and reveal themselves via the ransom note.”

The defense focus here needs to shift left to prevent the attackers from exfiltrating data. We should really look at these attacks as data exfiltration events with some ransomware in the mix, as opposed to ransomware attacks with some data exfiltration.  

With an eye on resilience in developing a security posture, organizations can limit the impact of a ransomware payload on operations, but once their data is compromised the attack becomes much more difficult to mitigate, as there is no guarantee the attacker will not exploit the data even if they receive payment. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.