Checkpoint recently shared a write-up on some newly-discovered ransomware dubbed, “Rorschach”. The write-up was pretty interesting, and had a good bit of content to unravel, so I thought I’d share the thoughts that had developed while I read and re-read the article.
From the article, the first things that jumped out at me were:
Check Point Research (CPR) and Check Point Incident Response Team (CPIRT) encountered a previously unnamed ransomware strain…
…and…
While responding to a ransomware case…
So, I’m reading this, and at this point, I’m anticipating some content around things like initial access, as well as threat actor “actions on objectives”, as they recon and prepare the environment for the ransomware deployment.
However, there isn’t a great deal stated in the article about how the ransomware got on the system, nor about how the threat actor gained access to the infrastructure. The article almost immediately dives into the malware execution flow, with no mention of how the system was compromised. We’ve seen this before; about 3 yrs ago, one IR consulting firm posted a 25-page write-up (which is no longer available) on Sobinokibi ransomware. The write-up started off by saying that during the first half of the year, the firm had responded to 41 Sobinokibi ransomware cases, and then dove into reverse engineering and analysis of one sample, without ever mentioning how the malware got on the system. As you read through Checkpoint’s write-up, one of the things they point o
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from Windows Incident Response
Read the original article: