Rorschach

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Rorschach, also known as BabLock, is a malware variant that has been recognized for its speed and sophistication. It is a form of ransomware that encrypts files on infected systems at an unprecedented rate, with Check Point researchers noting it as one of the fastest ransomware variants ever observed based on its speed of encryption. The malware leverages hybrid cryptography, encrypting only parts of a file rather than the entire file, which allows it to achieve these fast speeds. In tests conducted by Check Point, Rorschach was able to encrypt 22,000 files in an average of four minutes and 30 seconds. This stealthy and expeditious ransomware first emerged in April 2023 and has since caused significant disruptions. Notably, it disrupted operations of major Chilean telecommunications provider Grupo GTD on October 23, 2023. This attack affected the company's data centers, Voice-over-IP, and internet access, impacting not only Chile but also other Latin American countries that the provider caters to. The cyberattack against GTD's infrastructure-as-a-service platform was confirmed by Chile's Computer Security Incident Response Team to be a Rorschach ransomware attack. Rorschach shares many characteristics with other ransomwares such as LockBit and Babuk, and has inspired several other ransomware strains including Nokoyawa and EXSiArgs. Its code has resurfaced in various other ransomware samples, indicating its widespread influence in the realm of malicious software. Furthermore, Rorschach operates under CryptNet, a Ransomware as a Service (RaaS) group, which claims to have the “fastest ransomware in the world,” a claim previously limited to Lockbit and Rorschach. This malware continues to pose a significant threat due to its speed, stealth, and ability to propagate autonomously.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Bablock
4
BabLock, also known as Rorschach, is a type of malware that operates as ransomware. First identified by Check Point Research in April 2023, this harmful software infiltrates computer systems and devices, often without the user's knowledge, with the aim to exploit, damage, and potentially hold data h
Babuk
4
Babuk is a form of malware, specifically ransomware, that infiltrates computer systems and encrypts files, often leading to significant disruptions in operations. A notable instance of Babuk's destructive capabilities occurred on December 7th, when a printing company fell prey to the ransomware. The
Rapture
2
Rapture is a prominent malware that has emerged as a significant threat in the cybersecurity landscape. It appears to have adapted and evolved from the Paradise crypto-locker source code, which leaked in mid-2021. Further enhancements were made using the Babuk source code that was leaked later the s
RTM Locker
2
RTM Locker is a recently emerged ransomware that targets enterprise systems, specifically Linux virtual machines on VMware ESXi servers. This malicious software was developed from the leaked source code of the now-defunct Babuk ransomware, which was made public by an alleged member of the Babuk grou
Esxiargs
1
The ESXiArgs campaign was a significant cybersecurity event where an unknown ransomware group targeted VMware ESXi environments. The attackers exploited CVE-2021-21974, a vulnerability that was two years old at the time of the attacks. The campaign involved several ransomware groups such as Royal, B
Rook
1
Rook is a malicious software (malware) linked to several ransomware activities, including LockFile, AtomSilo, Night Sky, and Pandora. These activities are associated with the deployment of HUI Loader, which has been used in loading Cobalt Strike Beacon. A CTU analysis revealed that these five ransom
Locker Ransomware
1
Locker ransomware, a type of malware, poses significant risks to computer systems and data. Unlike crypto-ransomware which encrypts user data, locker ransomware locks users out of their devices entirely, demanding a ransom payment to restore access without any data encryption. This threat has evolve
Nokoyawa
1
Nokoyawa is a notorious malware, particularly known for its ransomware capabilities. It has been associated with various other malicious software including Quantum, Royal, BlackBasta, Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2, Vidar, Gozi, Cany
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Encryption
Ransom
Injector
Loader
Payload
Linux
Esxi
Malware
Windows
Zero Day
Extortion
Encrypt
Locker
RaaS
Exploit
Evasive
Ransomware P...
Esxiargs
Vmware
Antivirus
Poc
Vulnerability
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LockbitUnspecified
6
LockBit is a type of malware, specifically ransomware, that infiltrates systems to steal data or disrupt operations, often demanding ransom in return for the release of the compromised data. Notable incidents include the LockBit ransomware gang claiming to have stolen and subsequently leaking data f
Rorschach RansomwareUnspecified
4
The Rorschach ransomware, also known as BabLock, is a new and unique strain of malware that was first identified by Check Point Research (CPR) and the Check Point Incident Response Team (CPIRT) in April 2023. The ransomware, which was named after the famous psychological test due to its varied appea
Lockbit v.3Unspecified
2
LockBit v.3 is a type of malware, specifically ransomware, that poses significant threats to computer systems and devices. It infiltrates systems through dubious downloads, emails, or websites, often without the user's awareness. Once inside, it can steal personal information, disrupt operations, or
ExsiargsUnspecified
1
EXSiArgs is a form of malware, specifically a ransomware strain that targets specific vulnerabilities in computer systems. Ransomware is malicious software designed to block access to a computer system until a sum of money is paid. EXSiArgs is one of many threats developed from the leaked Babuk code
Lockbit V3Unspecified
1
LockBit v3, also known as LockBit Black, is a potent malware that was initially detected in June 2022. This malicious software is designed to exploit and damage computer systems by encrypting files rapidly, often without the user's knowledge. It infiltrates systems through suspicious downloads, emai
REvilUnspecified
1
REvil, also known as Sodinokibi, is a type of malware that gained notoriety through its use in ransomware attacks. As the Ransomware as a Service (RaaS) model grew in popularity during 2020, relationships between first-stage malware and subsequent ransomware attacks were established. One such connec
ContiUnspecified
1
Conti is a type of malware, specifically ransomware, which was designed to infiltrate systems, disrupt operations, and potentially hold data hostage for ransom. The malware has been used by various threat actors, including ITG23, who have utilized it alongside other malicious software such as Trickb
Black BastaUnspecified
1
Black Basta is a notorious malware group known for its malicious software, specifically ransomware attacks. Since early 2022, the Black Basta Ransomware gang has been actively involved in cybercrimes, amassing at least $107 million in Bitcoin ransom payments. The group's modus operandi involves expl
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
MedusaUnspecified
1
Medusa, a threat actor group, has been identified as a rising menace in the cybersecurity landscape, with its ransomware activities escalating significantly. In November 2023, Medusa and other groups like LockBit and ALPHV (BlackCat) exploited a zero-day vulnerability known as Citrix Bleed (CVE-2023
FrankensteinUnspecified
1
Frankenstein, also known as TA402, Molerats, and Gaza Cybergang, is a threat actor identified by Proofpoint researchers. Active for over a decade, this Middle Eastern advanced persistent threat (APT) group has historically operated in the interests of the Palestinian Territories. In mid-2023, Franke
AlphvUnspecified
1
AlphV, a notorious threat actor in the cybersecurity industry, has been responsible for numerous high-profile ransomware attacks. The group's activities include the theft of 5TB of data from Morrison Community Hospital and hacking Clarion, a global manufacturer of audio and video equipment for cars.
DarkSideUnspecified
1
DarkSide is a notorious threat actor known for its malicious activities involving ransomware attacks. The group gained significant notoriety in 2021 when it attacked the largest oil pipeline in the United States, leading to a temporary halt of all operations for three days. This incident, along with
DefrayUnspecified
1
Defray is a malicious threat actor group, also known as Hive0091, that operates various ransomware strains such as Defray, Ryuk, and BitPaymer. They are also responsible for the RansomExx operation, PyXie malware, and Vatet loader. The cybersecurity industry identifies this group as a significant pl
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Rorschach Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
4 months ago
LatAm firms ramping up cybersecurity investments as they come into criminals' crosshairs | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Securityaffairs
6 months ago
Decryptor for Tortilla variant of Babuk ransomware released
CERT-EU
6 months ago
Babuk Tortilla ransomware decryptor made available | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
6 months ago
Tortilla (Babuk) Ransomware Decryptor Available – Gridinsoft Blogs | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
6 months ago
Examples of Past and Current Attacks | #ransomware | #cybercrime | National Cyber Security Consulting
Checkpoint
8 months ago
The Platform Matters: A Comparative Study on Linux and Windows Ransomware Attacks - Check Point Research
CERT-EU
9 months ago
Why rookie hackers are capitalizing on ransomware
CERT-EU
9 months ago
US plastic surgeon clinic data exposed by Hunters International
CERT-EU
9 months ago
Adverse impact of proposed CISA budget cut warned by official
CERT-EU
9 months ago
Rorschach ransomware attack disrupts major Chilean telecom provider
CERT-EU
9 months ago
Significant Volt Typhoon threat requires immediate US critical infrastructure action
CERT-EU
9 months ago
Data breach reported by Seiko following ALPHV/BlackCat ransomware attack
CERT-EU
9 months ago
Chilean telecom giant GTD hit by the Rorschach ransomware gang
InfoSecurity-magazine
10 months ago
Wake-Up Call as 3AM Ransomware Variant Is Discovered
CERT-EU
10 months ago
Why Criminals Keep Reusing Leaked Ransomware Builders
BankInfoSecurity
10 months ago
Why Criminals Keep Reusing Leaked Ransomware Builders
Securityaffairs
a year ago
Leaked source code of Babuk ransomware used by 10 different ransomware families targeting VMware ESXi
CERT-EU
a year ago
Code leaks are causing an influx of new ransomware actors
CERT-EU
a year ago
Leaked Babuk Code Fuels New Wave of VMware ESXi Ransomware
CERT-EU
a year ago
Cyber Security Today, Week in Review for the week ending Friday, April 7, 2023 | IT World Canada News