{
	"id": "37cabd68-a29c-4e5a-9020-9f8468a21fe4",
	"created_at": "2026-04-06T01:31:15.464005Z",
	"updated_at": "2026-04-10T03:21:57.688411Z",
	"deleted_at": null,
	"sha1_hash": "2b0f4073ae85704de7356fafd8de920dbc4eb58a",
	"title": "Rorschach – A New Sophisticated and Fast Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 123811,
	"plain_text": "Rorschach – A New Sophisticated and Fast Ransomware\r\nBy etal\r\nPublished: 2023-04-03 · Archived: 2026-04-06 01:19:31 UTC\r\nResearch by: Jiri  Vinopal, Dennis Yarizadeh and Gil Gekker\r\nKey Findings:\r\nCheck Point Research (CPR) and Check Point Incident Response Team (CPIRT) encountered a previously\r\nunnamed ransomware strain, we dubbed Rorschach, deployed against a US-based company.\r\nRorschach ransomware appears to be unique, sharing no overlaps that could easily attribute it to any known\r\nransomware strain. In addition, it does not bear any kind of branding which is a common practice among\r\nransomware groups.\r\nThe ransomware is partly autonomous, carrying out tasks that are usually manually performed during\r\nenterprise-wide ransomware deployment, such as creating a domain group policy (GPO). In the past,\r\nsimilar functionality was linked to LockBit 2.0.\r\nThe ransomware is highly customizable and contains technically unique features, such as the use of direct\r\nsyscalls, rarely observed in ransomware. Moreover, due to different implementation methods, Rorschach\r\nis one of the fastest ransomware observed, by the speed of encryption.\r\nThe ransomware was deployed using DLL side-loading of a Cortex XDR Dump Service Tool, a signed\r\ncommercial security product, a loading method which is not commonly used to load ransomware. The\r\nvulnerability was properly reported to Palo Alto Networks.\r\nIntroduction\r\nWhile responding to a ransomware case against a US-based company, the CPIRT recently came across a unique\r\nransomware strain deployed using a signed component of a commercial security product. Unlike other\r\nransomware cases, the threat actor did not hide behind any alias and appears to have no affiliation to any of the\r\nknown ransomware groups. Those two facts, rarities in the ransomware ecosystem, piqued CPR interest and\r\nprompted us to thoroughly analyze the newly discovered malware.\r\nThroughout its analysis, the new ransomware exhibited unique features. A behavioral analysis of the new\r\nransomware suggests it is partly autonomous, spreading itself automatically when executed on a Domain\r\nController (DC), while it clears the event logs of the affected machines. In addition, it’s extremely flexible,\r\noperating not only based on a built-in configuration but also on numerous optional arguments which allow it to\r\nchange its behavior according to the operator’s needs. While it seems to have taken inspiration from some of the\r\nmost infamous ransomware families, it also contains unique functionalities, rarely seen among ransomware, such\r\nas the use of direct syscalls.\r\nThe ransomware note sent out to the victim was formatted similarly to Yanluowang ransomware notes, although\r\nother variants dropped a note that more closely resembled DarkSide ransomware notes (causing some to\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 1 of 22\n\nmistakenly refer to it as DarkSide). Each person who examined the ransomware saw something a little bit\r\ndifferent, prompting us to name it after the famous psychological test – Rorschach Ransomware.\r\nExecution Flow\r\nAs observed in the wild, Rorschach execution uses these three files:\r\ncy.exe – Cortex XDR Dump Service Tool version 7.3.0.16740, abused to side-load winutils.dll\r\nwinutils.dll – Packed Rorschach loader and injector, used to decrypt and inject the ransomware.\r\nconfig.ini – Encrypted Rorschach ransomware which contains all the logic and configuration.\r\nUpon execution of cy.exe , due to DLL side-loading, the loader/injector winutils.dll is loaded into memory\r\nand runs in the context of cy.exe . The main Rorschach payload config.ini is subsequently loaded into\r\nmemory as well, decrypted and injected into notepad.exe , where the ransomware logic begins.\r\nFigure 1 – Rorschach’s High Level Execution Flow on both endpoints and on Domain Controllers.\r\nSecurity Solution Evasion\r\nRorschach spawns processes in an uncommon way, running them in SUSPEND mode and giving out falsified\r\narguments to harden analysis and remediation efforts. The falsified argument, which consists of a repeating string\r\nof the digit 1 based on the length of the real argument, rewritten in memory and replaced with the real argument,\r\nresulting in a unique execution:\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 2 of 22\n\nFigure 2 – Rorschach’s process tree spawns processes with falsified arguments.\r\nThe ransomware uses this technique to run the following operations:\r\nAttempt to stop a predefined list of services, using net.exe stop .\r\nDelete shadow volumes and backups to harden recovery, using legitimate Windows tools such as\r\nvssadmin.exe , bcdedit.exe , wmic.exe , and wbadmin.exe\r\nRun wevutil.exe to clear the following Windows event logs: Application, Security, System and Windows\r\nPowershell.\r\nDisable the Windows firewall, using netsh.exe\r\nSelf-propagation\r\nWhen executed on a Windows Domain Controller (DC), the ransomware automatically creates a Group Policy,\r\nspreading itself to other machines within the domain. Similar functionality was linked in the past to LockBit 2.0,\r\nalthough the Rorschach Ransomware GPO deployment is carried out differently, as described below:\r\n1. Rorschach copies its files into the scripts folder of the DC, and deletes them from the original location.\r\n2. Rorschach then creates a group policy (see Appendix C) that copies itself into the %Public% folder of all\r\nworkstations in the domain.\r\n3. The ransomware creates another group policy in an attempt to kill a list of predefined list of processes. This\r\nis done by creating a schedule task invoking taskkill.exe .\r\n4. Finally, Rorschach creates another group policy that registers a scheduled task which runs immediately and\r\nupon user logon, to run Rorschach’s main executable with the relevant arguments.\r\nOur colleagues in AhnLab published a more thorough behavioral analysis of another Rorschach variant which\r\nprovides further details into the operations.\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 3 of 22\n\nRansomware Analysis\r\nIn addition to the ransomware’s uncommon behavior described above, the Rorschach binary itself contains\r\nadditional interesting features, differentiating it further from other ransomware.\r\nBinary and Anti-Analysis Protection\r\nThe actual sample is protected carefully, and requires quite a lot of work to access. First, the initial loader/injector\r\nwinutils.dll is protected with UPX-style packing. However, this is changed in such a way that it isn’t readily\r\nunpacked using standard solutions and requires manual unpacking. After unpacking, the sample loads and\r\ndecrypts config.ini , which contains the ransomware logic.\r\nAfter Rorschach is injected into notepad.exe , it’s still protected by VMProtect. This results in a crucial portion\r\nof the code being virtualized in addition to lacking an IAT table. Only after defeating both of these safeguards is it\r\npossible to properly analyze the ransomware logic.\r\nSecurity Solution Evasion\r\nAlthough Rorschach is used solely for encrypting an environment, it incorporates an unusual technique to evade\r\ndefense mechanisms. It makes direct system calls using the “syscall” instruction. While previously observed in\r\nother strains of malware, it’s quite startling to see this in ransomware.\r\nThe procedure involves utilizing the instruction itself, and it goes as follows:\r\n1. The ransomware finds the relevant syscall numbers for NT APIs, mainly related to file manipulation.\r\n2. Rorschach then stores the numbers in a table for future use.\r\n3. When needed, it calls a stub routine that uses the number directly with the syscall instruction instead of\r\nusing the NT API.\r\nIn other words, the malware first creates a syscall table for NT APIs used for file encryption:\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 4 of 22\n\nFigure 3 – Creation of syscall table for certain NT APIs.\r\nThe end of the table is a section with the relevant syscall numbers:\r\nFigure 4 – Section containing the syscall table.\r\nThe example below shows how the syscall numbers are used:\r\nFigure 5 – Example use of direct syscall.\r\nThis obfuscated process is not required for the ransomware encryption logic, which suggests it was developed to\r\nbypass security solutions monitoring direct API calls.\r\nCommand Line Arguments\r\nIn addition to the hardcoded configuration, the ransomware comes with multiple built-in options, probably for the\r\noperators comfort. All of them are hidden, obfuscated, and not accessible without reverse-engineering the\r\nransomware. This table contains some of the arguments that we discovered:\r\nArgument\r\nExample\r\nParameter\r\nDescription\r\n–run =1234\r\nPassword needed to run the sample, possibly built on\r\ndemand.\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 5 of 22\n\nArgument\r\nExample\r\nParameter\r\nDescription\r\n–nomutex =1\r\nDo not create a mutex, therefore do not insure that only a\r\nsingle instance is running.\r\n–log =1 Create log files.\r\n–nodel =0 Do not self-delete on execution.\r\n–path =“C:” Encrypt only the following path.\r\n–noshare =1 Do not encrypt shares.\r\n–pt =”C:.dll” Explicitly state the loader DLL.\r\n–cg =”C:.ini”\r\nExplicitly state the configuration file that stores the\r\nmalware.\r\n–we =”C:.exe” Explicitly state the main executable.\r\n–diskpart =1\r\nRun diskpart.exe /s AppData_x.txt that removes read-only volume attributes.\r\n–nobk =1 Do not change the wallpaper of the infected machine.\r\n–thread =4 Number of threads per CPU.\r\n–at\r\n=2023/03/24\r\n05:04:20\r\nActivation time (trigger time).\r\n–nomail =1 Do not create a ransom note.\r\nThis is only a partial list, with additional arguments suggesting networking capabilities, such as listen , srv\r\nand hostfile .\r\nExample of how some of these arguments are used:\r\ncy.exe --run=1234 --nomutex=0 --log=1 --nodel=1 --path=\"C:\\Myfolder\" --full=1 --diskpart=1 --nobk=0\r\nLanguage Based Protection\r\nBefore encrypting the target system, the sample runs two system checks that can halt its execution:\r\nIt uses GetSystemDefaultUILanguage and GetUserDefaultUILanguage to determine what language the\r\nuser is using.\r\nIt exits if the return value is commonly used in CIS countries:\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 6 of 22\n\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n{\r\n0x042b: \"Armenian_Armenia\",\r\n0x042c: \"Azeri_Latin\",\r\n0x043f: \"Kazakh\",\r\n0x082c: \"Azeri_Cyrillic\",\r\n0x419: \"Russian\",\r\n0x422: \"Ukrainian\",\r\n0x423: \"Belarusian\",\r\n0x428: \"Tajik\",\r\n0x437: \"Georgian\",\r\n0x440: \"Kyrgyz_Cyrillic\",\r\n0x442: \"Turkmen\",\r\n0x443: \"Uzbek_Latin\",\r\n0x819: \"Russian_Moldava\",\r\n0x843: \"Uzbek_Cyrillic\"\r\n}\r\n{ 0x042b: \"Armenian_Armenia\", 0x042c: \"Azeri_Latin\", 0x043f: \"Kazakh\", 0x082c: \"Azeri_Cyrillic\", 0x419:\r\n\"Russian\", 0x422: \"Ukrainian\", 0x423: \"Belarusian\", 0x428: \"Tajik\", 0x437: \"Georgian\", 0x440:\r\n\"Kyrgyz_Cyrillic\", 0x442: \"Turkmen\", 0x443: \"Uzbek_Latin\", 0x819: \"Russian_Moldava\", 0x843:\r\n\"Uzbek_Cyrillic\" }\r\n{\r\n 0x042b: \"Armenian_Armenia\",\r\n 0x042c: \"Azeri_Latin\",\r\n 0x043f: \"Kazakh\",\r\n 0x082c: \"Azeri_Cyrillic\",\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 7 of 22\n\n0x419: \"Russian\",\r\n 0x422: \"Ukrainian\",\r\n 0x423: \"Belarusian\",\r\n 0x428: \"Tajik\",\r\n 0x437: \"Georgian\",\r\n 0x440: \"Kyrgyz_Cyrillic\",\r\n 0x442: \"Turkmen\",\r\n 0x443: \"Uzbek_Latin\",\r\n 0x819: \"Russian_Moldava\",\r\n 0x843: \"Uzbek_Cyrillic\"\r\n}\r\nEncryption Process\r\nThe Rorschach ransomware employs a highly effective and fast hybrid-cryptography scheme, which blends the\r\ncurve25519 and eSTREAM cipher hc-128 algorithms for encryption purposes. This process only encrypts a\r\nspecific portion of the original file content instead of the entire file. The WinAPI CryptGenRandom is utilized to\r\ngenerate cryptographically random bytes used as a per-victim private key. The shared secret is calculated through\r\ncurve25519, using both the generated private key and a hardcoded public key. Finally, the computed SHA512\r\nhash of the shared secret is used to construct the KEY and IV for the eSTREAM cipher hc-128.\r\nFigure 6 – The Rorschach hybrid-cryptography scheme.\r\nAnalysis of Rorschach’s encryption routine suggests not only the fast encryption scheme mentioned previously\r\nbut also a highly effective implementation of thread scheduling via I/O completion ports. In addition, it appears\r\nthat compiler optimization is prioritized for speed, with much of the code being inlined. All of these factors make\r\nus believe that we may be dealing with one of the fastest ransomware out there.\r\nTo verify our hypothesis, we conducted five separate encryption speed tests in a controlled environment (with 6\r\nCPUs, 8192MB RAM, SSD, and 220000 files to be encrypted), limited to local drive encryption only. To provide\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 8 of 22\n\na meaningful comparison with other known fast ransomware, we compared Rorschach with the notorious LockBit\r\nv.3.\r\nThe result of the speed tests:\r\nRansomware Average approximate time of encryption\r\nLockBit v.3 7 minutes\r\nRorschach 4 minutes, 30 seconds\r\nIt turned out that we have a new speed demon in town. What’s even more noteworthy is that the Rorschach\r\nransomware is highly customizable. By adjusting the number of encryption threads via the command line\r\nargument --thread , it can achieve even faster times.\r\nTechnical Similarity to Other Ransomware\r\nWhen we compared Rorschach to other well-known ransomware families, we noticed that Rorschach uses a\r\nvariety of time-honored methods together with some novel ideas in the ransomware industry. The name itself,\r\n“Rorschach”, is quite self-explanatory; with deep reverse engineering of the code and its logic, we found certain\r\nsimilarities with some of the more technically advanced and established ransomware groups.\r\nWe discussed Rorschach’s hybrid-cryptography scheme in detail above, but we suspect that this routine was\r\nborrowed from the leaked source code of Babuk ransomware. See the following code snippets as examples:\r\nFigure 7 – Hybrid-cryptography scheme of Rorschach vs. Babuk.\r\nRorschach’s inspiration from Babuk is evident in various routines, including those responsible for stopping\r\nprocesses and services. In fact, the code used to stop services through the service control manager appears to have\r\nbeen directly copied from Babuk’s source code:\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 9 of 22\n\nFigure 8 – Stopping predefined list of services – Rorschach vs. Babuk.\r\nIt is also worth noting that the list of services to be stopped in Rorschach’s configuration is identical to that in the\r\nleaked Babuk source code. However, the list of processes to be stopped differs slightly, as Rorschach omits\r\nnotepad.exe , which is used as a target for code injection.\r\nRorahsach takes inspiration from another ransomware strain: LockBit. First, the list of languages used to halt the\r\nmalware is exactly the same list that was used in LockBit v2.0  (although the list is commonly used by many\r\nRussian speaking groups, and not just LockBit). However, the I/O Completion Ports method of thread scheduling\r\nis another component where Rorschach took some inspiration from LockBit. The final renaming of the encrypted\r\nmachine files in Rorschach is implemented via NtSetInformationFile using FileInformationClass\r\nFileRenameInformation , just like in LockBit v2.0.\r\nFigure 9 – Renaming of encrypted file using NtSetInformationFile.\r\nAs noted before, Rorschach’s code is protected and obfuscated in a way that is unusual for ransomware, and is\r\ncompiled with compiler optimization to favor speed and code inlining as much as possible. This makes finding\r\nsimilarities with other well-known ransomware families a real brain-buster. But we can still say that Rorschach\r\ntook the best from the ransomware families with the highest reputation, and then added some unique features of its\r\nown.\r\nRansom Notes\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 10 of 22\n\nAs we noted, Rorschach does not exhibit any clear-cut overlaps with any of the known ransomware groups but\r\ndoes appear to draw inspiration from some of them.\r\nWe mentioned previously that Ahnlab reported a similar attack earlier this year. While it was carried out through\r\ndifferent means, the ransomware described in the report triggers an almost identical execution flow. However, the\r\nresulting ransom note was completely different. The note was actually very similar to those issued by DarkSide,\r\nwhich probably led to this new ransomware being named “DarkSide,” despite the group being inactive since May\r\n2021.\r\nThe Rorschach variant we analyzed leaves a different ransom note based on the structure used by Yanlowang,\r\nanother ransomware group:\r\nFigure 10 – Ransom note from Rorschach.\r\nConclusion\r\nOur analysis of Rorschach reveals the emergence of a new ransomware strain in the crimeware landscape. Its\r\ndevelopers implemented new anti-analysis and defense evasion techniques to avoid detection and make it more\r\ndifficult for security software and researchers to analyze and mitigate its effects. Additionally, Rorschach appears\r\nto have taken some of the ‘best’ features from some of the leading ransomwares leaked online, and integrated\r\nthem all together. In addition to Rorschach’s self-propagating capabilities, this raises the bar for ransom attacks.\r\nThe operators and developers of the Rorschach ransomware remain unknown. They do not use branding, which is\r\nrelatively rare in ransomware operations.\r\nOur findings underscore the importance of maintaining strong cybersecurity measures to prevent ransomware\r\nattacks, as well as the need for continuous monitoring and analysis of new ransomware samples to stay ahead of\r\nevolving threats. As these attacks continue to grow in frequency and sophistication, it is essential for organizations\r\nto remain vigilant and proactive in their efforts to safeguard against these threats.\r\nHarmony Endpoint provides runtime protection against ransomware with instant automated remediation, even in\r\noffline mode.\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 11 of 22\n\nWhen running on a machine infected with the Rorschach ransomware, Harmony Endpoint Anti-ransomware\r\ndetected the encryption process in different folders, including modifications made to Harmony Endpoint\r\n‘honeypot’ files. It ran a ranking algorithm that provided a verdict identifying the process as a ransomware.  \r\nSamples/IOCs\r\nFiles\r\nName Hash Comments\r\ncy.exe 2237ec542cdcd3eb656e86e43b461cd1\r\nPA Cortex Dump Service Tool\r\n(benign file)\r\nwinutils.dll 4a03423c77fe2c8d979caca58a64ad6c Loader and injector into notepad.exe\r\nconfig.ini 6bd96d06cd7c4b084fe9346e55a81cf9 Encrypted ransomware payload\r\nAppendix A – Services and processes terminated through GPO by Rorschach\r\nThe following services are stopped through a GPO issued by Rorschach, probably to prevent conflicting write\r\norders to Database files (and thus preventing encryption):\r\nSQLPBDMS\r\nSQLPBENGINE\r\nMSSQLFDLauncher\r\nSQLSERVERAGENT\r\nMSSQLServerOLAPService\r\nSSASTELEMETRY\r\nSQLBrowser\r\nSQL Server Distributed Replay Client\r\nSQL Server Distributed Replay Controller\r\nMsDtsServer150\r\nSSISTELEMETRY150\r\nSSISScaleOutMaster150\r\nSSISScaleOutWorker150\r\nMSSQLLaunchpad\r\nSQLWriter\r\nSQLTELEMETRY\r\nMSSQLSERVER\r\nThe following processes are killed using a group policy (scheduled task) issued by Rorschach executing\r\nC:\\windows\\system32\\taskkill.exe . Some are likely terminated to prevent write conflicts, and some are\r\nsecurity solutions:\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 12 of 22\n\nwxServer.exe\r\nwxServerView.exe\r\nsqlmangr.exe\r\nRAgui.exe\r\nsupervise.exe\r\nCulture.exe\r\nDefwatch.exe\r\nhttpd.exe\r\nsync-taskbar\r\nsync-worker\r\nwsa_service.exe\r\nsynctime.exe\r\nvxmon.exe\r\nsqlbrowser.exe\r\ntomcat6.exe\r\nSqlservr.exe\r\nAppendix B – Hardcoded Rorschach configuration\r\nThe following is a list of services, hardcoded in its configuration, to be stopped via the service control manager:\r\nAcronisAgent\r\nAcrSch2Svc\r\nbackup\r\nBackupExecAgentAccelerator\r\nBackupExecAgentBrowser\r\nBackupExecDiveciMediaService\r\nBackupExecJobEngine\r\nBackupExecManagementService\r\nBackupExecRPCService\r\nBackupExecVSSProvider\r\nCAARCUpdateSvc\r\nCASAD2DWebSvc\r\nccEvtMgr\r\nccSetMgr\r\nDefWatch\r\nGxBlr\r\nGxCIMgr\r\nGxCVD\r\nGxFWD\r\nGxVss\r\nIntuit.QuickBooks.FCS\r\nmemtas\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 13 of 22\n\nmepocs\r\nPDVFSService\r\nQBCFMonitorService\r\nQBFCService\r\nQBIDPService\r\nRTVscan\r\nSavRoam\r\nsophos\r\nsql\r\nstc_raw_agent\r\nsvc$\r\nveeam\r\nVeeamDeploymentService\r\nVeeamNFSSvc\r\nVeeamTransportSvc\r\nVSNAPVSS\r\nvss\r\nYooBackup\r\nYooIT\r\nzhudongfangyu\r\nThe following is a hardcoded list of directories and files to be omitted from encryption:\r\n.\r\n..\r\n#recycle\r\n$Recycle.Bin\r\n1_config.ini\r\nAhnlab\r\nAll Users\r\nAppData\r\nAUTOEXEC.BAT\r\nautoexec.bat\r\nautorun.inf\r\nbegin.txt\r\nBoot\r\nboot.ini\r\nbootfont.bin\r\nbootmgfw.efi\r\nbootmgr\r\nbootmgr.efi\r\nbootsect.bak\r\nconfig.ini\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 14 of 22\n\ndesktop.ini\r\nfinish.txt\r\nGoogle\r\niconcache.db\r\nInternet Explorer\r\nMozilla\r\nMozilla Firefox\r\nNETLOGON\r\nntldr\r\nntuser.dat\r\nNTUSER.DAT\r\nntuser.dat.log\r\nntuser.dat.LOG1\r\nntuser.dat.LOG2\r\nntuser.ini\r\nOpera\r\nOpera Software\r\nPolicies\r\nProgram Files\r\nProgram Files (x86)\r\nProgramData\r\nscripts\r\nSYSVOL\r\nthumbs.db\r\nTor Browser\r\nWindows\r\nWINDOWS\r\nWindows.old\r\nThe following is a list of process names that during Rorschach’s execution these names are compared to those\r\nrunning on the machine and killed if matched. This is done through a combination of\r\nCreateToolhelp32Snapshot , Process32FirstW , Process32NextW , OpenProcess , and TerminateProcess .\r\nThere is some overlap and redundancy to the list of services killed via the service control manager.\r\nAcronisAgent\r\nAcrSch2Svc\r\nagntsvc.exe\r\nBackExecRPCService\r\nbackup\r\nBackupExecAgentAccelerator\r\nBackupExecDiveciMediaService\r\nBackupExecJobEngine\r\nbedbg\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 15 of 22\n\nCAARCUpdateSvc\r\nccEvtMgr\r\nCulserver\r\ndbeng50.exe\r\ndbeng8\r\ndbsnmp.exe\r\ndbsrv12.exe\r\nDefWatch\r\nencsvc.exe\r\nexcel.exe\r\nfirefox.exe\r\ninfopath.exe\r\nIntuit.QuickBooks.FCS\r\nisqlplussvc.exe\r\nmemtas\r\nmepocs\r\nmsaccess.exe\r\nMSExchange\r\nmsftesql-Exchange\r\nmsmdsrv\r\nmspub.exe\r\nMSSQL\r\nmydesktopqos.exe\r\nmydesktopservice.exe\r\nocautoupds.exe\r\nocomm.exe\r\nocssd.exe\r\nonenote.exe\r\noracle.exe\r\noutlook.exe\r\nPDVFSService\r\npowerpnt.exe\r\nQBCFMonitorService\r\nQBFCService\r\nQBIDPService\r\nSavRoam\r\nsophos\r\nsqbcoreservice.exe\r\nsql.exe\r\nsqladhlp\r\nSQLADHLP\r\nsqlagent\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 16 of 22\n\nSQLAgent\nSQLAgent$SHAREPOINT\nSQLBrowser\nSQLWriter\nsteam.exe\nsynctime.exe\ntbirdconfig.exe\nthebat.exe\nthunderbird.exe\ntomcat6\nveeam\nVeeamDeploymentService\nVeeamNFSSvc\nVeeamTransportSvc\nvisio.exe\nvmware-converter\nvmware-usbarbitator64\nWinSAT.exe\nwinword.exe\nwordpad.exe\nwrapper.exe\nWSBExchange\nxfssvccon.exe\nYooBackup\nAppendix C – Group Policies executed by Rorschach\nTransferring its own files to each workstation:\nPlain text\nCopy to clipboard\nOpen code in new window\nEnlighterJS 3 Syntax Highlighter\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\nPage 17 of 22\n\n\u003c/File\u003e\r\n\u003c/Files\u003e\r\nExecuting a scheduled task to run the attack:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n\u003cTaskV2 clsid=\"{D8896631-B747-47a7-84A6-C155337F3BC8}\" name=\"2_0305_cy.exe\" image=\"2\"\r\nchanged=\"**REDACTED**\" uid=\"{3772E17D-6354-4DF1-A73B-8868AC352B23}\"\u003e\r\n\u003cProperties action=\"U\" name=\"2_0305_cy.exe\" runAs=\"%LogonDomain%\\%LogonUser%\"\r\nlogonType=\"InteractiveToken\"\u003e\r\n\u003cTask version=\"1.2\"\u003e\r\n\u003cRegistrationInfo\u003e\r\n\u003cAuthor\u003e**REDACTED**\\Administrador\u003c/Author\u003e\r\n\u003cDescription\u003e\u003c/Description\u003e\r\n\u003c/RegistrationInfo\u003e\r\n\u003cPrincipals\u003e\r\n\u003cPrincipal id=\"Author\"\u003e\r\n\u003cUserId\u003e%LogonDomain%\\%LogonUser%\u003c/UserId\u003e\r\n\u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\r\n\u003cRunLevel\u003eHighestAvailable\u003c/RunLevel\u003e\r\n\u003c/Principal\u003e\r\n\u003c/Principals\u003e\r\n\u003cSettings\u003e\r\n\u003cIdleSettings\u003e\r\n\u003cDuration\u003ePT10M\u003c/Duration\u003e\r\n\u003cWaitTimeout\u003ePT1H\u003c/WaitTimeout\u003e\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 19 of 22\n\n\u003cStopOnIdleEnd\u003efalse\u003c/StopOnIdleEnd\u003e\r\n\u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\r\n\u003c/IdleSettings\u003e\r\n\u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\r\n\u003cDisallowStartIfOnBatteries\u003efalse\u003c/DisallowStartIfOnBatteries\u003e\r\n\u003cStopIfGoingOnBatteries\u003efalse\u003c/StopIfGoingOnBatteries\u003e\r\n\u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\r\n\u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\r\n\u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n\u003cHidden\u003efalse\u003c/Hidden\u003e\r\n\u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\r\n\u003cPriority\u003e7\u003c/Priority\u003e\r\n\u003c/Settings\u003e\r\n\u003cTriggers\u003e\r\n\u003cRegistrationTrigger\u003e\r\n\u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n\u003c/RegistrationTrigger\u003e\r\n\u003cLogonTrigger\u003e\r\n\u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n\u003c/LogonTrigger\u003e\r\n\u003c/Triggers\u003e\r\n\u003cActions Context=\"Author\"\u003e\r\n\u003cExec\u003e\r\n\u003cCommand\u003e%Public%\\cy.exe\u003c/Command\u003e\r\n\u003cArguments\u003e--run=**REDACTED**\u003c/Arguments\u003e\r\n\u003c/Exec\u003e\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 20 of 22\n\n\u003c/Actions\u003e\r\n\u003c/Task\u003e\r\n\u003c/Properties\u003e\r\n\u003c/TaskV2\u003e\r\n\u003cTaskV2 clsid=\"{D8896631-B747-47a7-84A6-C155337F3BC8}\" name=\"2_0305_cy.exe\" image=\"2\"\r\nchanged=\"**REDACTED**\" uid=\"{3772E17D-6354-4DF1-A73B-8868AC352B23}\"\u003e \u003cProperties action=\"U\"\r\nname=\"2_0305_cy.exe\" runAs=\"%LogonDomain%\\%LogonUser%\" logonType=\"InteractiveToken\"\u003e \u003cTask\r\nversion=\"1.2\"\u003e \u003cRegistrationInfo\u003e \u003cAuthor\u003e**REDACTED**\\Administrador\u003c/Author\u003e \u003cDescription\u003e\r\n\u003c/Description\u003e \u003c/RegistrationInfo\u003e \u003cPrincipals\u003e \u003cPrincipal id=\"Author\"\u003e\r\n\u003cUserId\u003e%LogonDomain%\\%LogonUser%\u003c/UserId\u003e \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\r\n\u003cRunLevel\u003eHighestAvailable\u003c/RunLevel\u003e \u003c/Principal\u003e \u003c/Principals\u003e \u003cSettings\u003e \u003cIdleSettings\u003e\r\n\u003cDuration\u003ePT10M\u003c/Duration\u003e \u003cWaitTimeout\u003ePT1H\u003c/WaitTimeout\u003e \u003cStopOnIdleEnd\u003efalse\u003c/StopOnIdleEnd\u003e\r\n\u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e \u003c/IdleSettings\u003e\r\n\u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\r\n\u003cDisallowStartIfOnBatteries\u003efalse\u003c/DisallowStartIfOnBatteries\u003e\r\n\u003cStopIfGoingOnBatteries\u003efalse\u003c/StopIfGoingOnBatteries\u003e \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\r\n\u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e \u003cEnabled\u003etrue\u003c/Enabled\u003e \u003cHidden\u003efalse\u003c/Hidden\u003e\r\n\u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e \u003cPriority\u003e7\u003c/Priority\u003e \u003c/Settings\u003e \u003cTriggers\u003e\r\n\u003cRegistrationTrigger\u003e \u003cEnabled\u003etrue\u003c/Enabled\u003e \u003c/RegistrationTrigger\u003e \u003cLogonTrigger\u003e\r\n\u003cEnabled\u003etrue\u003c/Enabled\u003e \u003c/LogonTrigger\u003e \u003c/Triggers\u003e \u003cActions Context=\"Author\"\u003e \u003cExec\u003e\r\n\u003cCommand\u003e%Public%\\cy.exe\u003c/Command\u003e \u003cArguments\u003e--run=**REDACTED**\u003c/Arguments\u003e \u003c/Exec\u003e\r\n\u003c/Actions\u003e \u003c/Task\u003e \u003c/Properties\u003e \u003c/TaskV2\u003e\r\n\u003cTaskV2 clsid=\"{D8896631-B747-47a7-84A6-C155337F3BC8}\" name=\"2_0305_cy.exe\" image=\"2\" changed=\"**REDA\r\n \u003cProperties action=\"U\" name=\"2_0305_cy.exe\" runAs=\"%LogonDomain%\\%LogonUser%\" logonType=\"Interact\r\n \u003cTask version=\"1.2\"\u003e\r\n \u003cRegistrationInfo\u003e\r\n \u003cAuthor\u003e**REDACTED**\\Administrador\u003c/Author\u003e\r\n \u003cDescription\u003e\u003c/Description\u003e\r\n \u003c/RegistrationInfo\u003e\r\n \u003cPrincipals\u003e\r\n \u003cPrincipal id=\"Author\"\u003e\r\n \u003cUserId\u003e%LogonDomain%\\%LogonUser%\u003c/UserId\u003e\r\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\r\n \u003cRunLevel\u003eHighestAvailable\u003c/RunLevel\u003e\r\n \u003c/Principal\u003e\r\n \u003c/Principals\u003e\r\n \u003cSettings\u003e\r\n \u003cIdleSettings\u003e\r\n \u003cDuration\u003ePT10M\u003c/Duration\u003e\r\n \u003cWaitTimeout\u003ePT1H\u003c/WaitTimeout\u003e\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 21 of 22\n\n\u003cStopOnIdleEnd\u003efalse\u003c/StopOnIdleEnd\u003e\r\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\r\n \u003c/IdleSettings\u003e\r\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\r\n \u003cDisallowStartIfOnBatteries\u003efalse\u003c/DisallowStartIfOnBatteries\u003e\r\n \u003cStopIfGoingOnBatteries\u003efalse\u003c/StopIfGoingOnBatteries\u003e\r\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\r\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003cHidden\u003efalse\u003c/Hidden\u003e\r\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\r\n \u003cPriority\u003e7\u003c/Priority\u003e\r\n \u003c/Settings\u003e\r\n \u003cTriggers\u003e\r\n \u003cRegistrationTrigger\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003c/RegistrationTrigger\u003e\r\n \u003cLogonTrigger\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003c/LogonTrigger\u003e\r\n \u003c/Triggers\u003e\r\n \u003cActions Context=\"Author\"\u003e\r\n \u003cExec\u003e\r\n \u003cCommand\u003e%Public%\\cy.exe\u003c/Command\u003e\r\n \u003cArguments\u003e--run=**REDACTED**\u003c/Arguments\u003e\r\n \u003c/Exec\u003e\r\n \u003c/Actions\u003e\r\n \u003c/Task\u003e\r\n \u003c/Properties\u003e\r\n\u003c/TaskV2\u003e\r\nSource: https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/"
	],
	"report_names": [
		"rorschach-a-new-sophisticated-and-fast-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775439075,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2b0f4073ae85704de7356fafd8de920dbc4eb58a.pdf",
		"text": "https://archive.orkl.eu/2b0f4073ae85704de7356fafd8de920dbc4eb58a.txt",
		"img": "https://archive.orkl.eu/2b0f4073ae85704de7356fafd8de920dbc4eb58a.jpg"
	}
}