Bablock

Malware updated 6 months ago (2024-05-04T16:10:54.881Z)
Download STIX
Preview STIX
BabLock, also known as Rorschach, is a type of malware that operates as ransomware. First identified by Check Point Research in April 2023, this harmful software infiltrates computer systems and devices, often without the user's knowledge, with the aim to exploit, damage, and potentially hold data hostage for ransom. It has been observed to transfer over HTTP/S, either during initial infiltration or lateral movement within a network. BabLock has also been seen being emailed as a compressed attachment, another method for both infiltration and lateral movement. The malware has made significant impact globally, with notable incidents including an attack on Chilean telecommunications company GTD. The attack was initially misattributed to the Medusa ransomware, but later analysis by computer security company Eset confirmed it was indeed the work of BabLock. This incident highlighted the malware's ability to disrupt operations and cause significant harm. Moreover, further investigations from Chile's CSIRT revealed that BabLock exploits DLL side-loading flaws in security software such as BitDefender, Trend Micro, and Cortex XDR to facilitate the deployment of its injector. This technique allows the malware to write itself to disk at the host level, making it even more difficult to detect and remove. SafeBreach's coverage of the Rorschach ransomware provides detailed insights into these various tactics, further emphasizing the need for robust cybersecurity measures against this potent threat.
Description last updated: 2024-03-13T02:19:00.521Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Rorschach is a possible alias for Bablock. Rorschach, also known as BabLock, is a malware variant that has been recognized for its speed and sophistication. It is a form of ransomware that encrypts files on infected systems at an unprecedented rate, with Check Point researchers noting it as one of the fastest ransomware variants ever observe
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Payload
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lockbit Malware is associated with Bablock. LockBit is a type of malware, specifically a ransomware, that infiltrates systems to exploit and damage them. It's known for its disruptive activities such as stealing personal information or holding data hostage for ransom. The LockBit ransomware gang has claimed responsibility for several high-prois related to
3
The Lockbit v3.0 Malware is associated with Bablock. LockBit v3.0 is a malicious software variant, known for its capability to encrypt up to 25,000 files per minute. This potent ransomware was first encountered almost a year ago, and despite not being the fastest of its kind, it poses a significant threat due to the average time required to detect andUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The DarkSide Threat Actor is associated with Bablock. DarkSide is a threat actor known for its malicious activities, primarily in the realm of ransomware attacks. One of their most notable exploits occurred on May 7, 2021, when they targeted Colonial Pipeline Co., a major player in the U.S. energy sector. The attack disrupted the gasoline supply acrossUnspecified
2