Bablock

Malware updated 7 months ago (2024-05-04T16:10:54.881Z)

Download STIX

Preview STIX

BabLock, also known as Rorschach, is a type of malware that operates as ransomware. First identified by Check Point Research in April 2023, this harmful software infiltrates computer systems and devices, often without the user's knowledge, with the aim to exploit, damage, and potentially hold data hostage for ransom. It has been observed to transfer over HTTP/S, either during initial infiltration or lateral movement within a network. BabLock has also been seen being emailed as a compressed attachment, another method for both infiltration and lateral movement. The malware has made significant impact globally, with notable incidents including an attack on Chilean telecommunications company GTD. The attack was initially misattributed to the Medusa ransomware, but later analysis by computer security company Eset confirmed it was indeed the work of BabLock. This incident highlighted the malware's ability to disrupt operations and cause significant harm. Moreover, further investigations from Chile's CSIRT revealed that BabLock exploits DLL side-loading flaws in security software such as BitDefender, Trend Micro, and Cortex XDR to facilitate the deployment of its injector. This technique allows the malware to write itself to disk at the host level, making it even more difficult to detect and remove. SafeBreach's coverage of the Rorschach ransomware provides detailed insights into these various tactics, further emphasizing the need for robust cybersecurity measures against this potent threat.

Description last updated: 2024-03-13T02:19:00.521Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Rorschach is a possible alias for Bablock. Rorschach, also known as BabLock, is a malware variant that has been recognized for its speed and sophistication. It is a form of ransomware that encrypts files on infected systems at an unprecedented rate, with Check Point researchers noting it as one of the fastest ransomware variants ever observe	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Payload

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Lockbit Malware is associated with Bablock. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit	is related to	3
The Lockbit v3.0 Malware is associated with Bablock. LockBit v3.0 is a malicious software variant, known for its capability to encrypt up to 25,000 files per minute. This potent ransomware was first encountered almost a year ago, and despite not being the fastest of its kind, it poses a significant threat due to the average time required to detect and	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The DarkSide Threat Actor is associated with Bablock. DarkSide is a threat actor known for its malicious activities, primarily in the realm of ransomware attacks. One of their most notable exploits occurred on May 7, 2021, when they targeted Colonial Pipeline Co., a major player in the U.S. energy sector. The attack disrupted the gasoline supply across	Unspecified	2

Source Document References

Information about the Bablock Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	8 months ago	LatAm firms ramping up cybersecurity investments as they come into criminals' crosshairs \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
Securityaffairs	10 months ago	Decryptor for Tortilla variant of Babuk ransomware released
CERT-EU	a year ago	Rorschach ransomware attack disrupts major Chilean telecom provider
CERT-EU	a year ago	Chilean telecom giant GTD hit by the Rorschach ransomware gang
CERT-EU	a year ago	Akira Ransomware, 8Base Ransomware, and more: Hacker’s Playbook Threat Coverage Round-up: August 22, 2023
Securityaffairs	2 years ago	Leaked source code of Babuk ransomware used by 10 different ransomware families targeting VMware ESXi
CERT-EU	2 years ago	Leaked Babuk Code Fuels New Wave of VMware ESXi Ransomware
Trend Micro	2 years ago	An Analysis of the BabLock Ransomware
CERT-EU	2 years ago	An Analysis of the BabLock Ransomware