Bablock

Malware updated 4 months ago (2024-05-04T16:10:54.881Z)

Download STIX

Preview STIX

BabLock, also known as Rorschach, is a type of malware that operates as ransomware. First identified by Check Point Research in April 2023, this harmful software infiltrates computer systems and devices, often without the user's knowledge, with the aim to exploit, damage, and potentially hold data hostage for ransom. It has been observed to transfer over HTTP/S, either during initial infiltration or lateral movement within a network. BabLock has also been seen being emailed as a compressed attachment, another method for both infiltration and lateral movement. The malware has made significant impact globally, with notable incidents including an attack on Chilean telecommunications company GTD. The attack was initially misattributed to the Medusa ransomware, but later analysis by computer security company Eset confirmed it was indeed the work of BabLock. This incident highlighted the malware's ability to disrupt operations and cause significant harm. Moreover, further investigations from Chile's CSIRT revealed that BabLock exploits DLL side-loading flaws in security software such as BitDefender, Trend Micro, and Cortex XDR to facilitate the deployment of its injector. This technique allows the malware to write itself to disk at the host level, making it even more difficult to detect and remove. SafeBreach's coverage of the Rorschach ransomware provides detailed insights into these various tactics, further emphasizing the need for robust cybersecurity measures against this potent threat.

Description last updated: 2024-03-13T02:19:00.521Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Rorschach	4	Rorschach, also known as BabLock, is a malware variant that has been recognized for its speed and sophistication. It is a form of ransomware that encrypts files on infected systems at an unprecedented rate, with Check Point researchers noting it as one of the fastest ransomware variants ever observe

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Payload

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Lockbit	is related to	3	LockBit is a malicious software, or malware, that has been notably active and damaging in the cyber world. Known for its ability to infiltrate systems often without detection, it can steal personal information, disrupt operations, and even hold data hostage for ransom. In the first half of 2024, Loc
Lockbit v3.0	Unspecified	2	LockBit v3.0 is a malicious software variant, known for its capability to encrypt up to 25,000 files per minute. This potent ransomware was first encountered almost a year ago, and despite not being the fastest of its kind, it poses a significant threat due to the average time required to detect and

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
DarkSide	Unspecified	2	DarkSide is a threat actor known for its malicious activities, particularly in the realm of ransomware. This group was notably responsible for the major attack on the U.S. energy sector that targeted Colonial Pipeline Co. on May 7, 2021, using a ransomware-as-a-service operation. The DarkSide ransom

Source Document References

Information about the Bablock Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	6 months ago	LatAm firms ramping up cybersecurity investments as they come into criminals' crosshairs \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
Securityaffairs	8 months ago	Decryptor for Tortilla variant of Babuk ransomware released
CERT-EU	10 months ago	Rorschach ransomware attack disrupts major Chilean telecom provider
CERT-EU	10 months ago	Chilean telecom giant GTD hit by the Rorschach ransomware gang
CERT-EU	a year ago	Akira Ransomware, 8Base Ransomware, and more: Hacker’s Playbook Threat Coverage Round-up: August 22, 2023
Securityaffairs	a year ago	Leaked source code of Babuk ransomware used by 10 different ransomware families targeting VMware ESXi
CERT-EU	a year ago	Leaked Babuk Code Fuels New Wave of VMware ESXi Ransomware
Trend Micro	a year ago	An Analysis of the BabLock Ransomware
CERT-EU	a year ago	An Analysis of the BabLock Ransomware