Rorschach

Malware updated 6 months ago (2024-05-04T20:18:46.364Z)
Download STIX
Preview STIX
Rorschach, also known as BabLock, is a malware variant that has been recognized for its speed and sophistication. It is a form of ransomware that encrypts files on infected systems at an unprecedented rate, with Check Point researchers noting it as one of the fastest ransomware variants ever observed based on its speed of encryption. The malware leverages hybrid cryptography, encrypting only parts of a file rather than the entire file, which allows it to achieve these fast speeds. In tests conducted by Check Point, Rorschach was able to encrypt 22,000 files in an average of four minutes and 30 seconds. This stealthy and expeditious ransomware first emerged in April 2023 and has since caused significant disruptions. Notably, it disrupted operations of major Chilean telecommunications provider Grupo GTD on October 23, 2023. This attack affected the company's data centers, Voice-over-IP, and internet access, impacting not only Chile but also other Latin American countries that the provider caters to. The cyberattack against GTD's infrastructure-as-a-service platform was confirmed by Chile's Computer Security Incident Response Team to be a Rorschach ransomware attack. Rorschach shares many characteristics with other ransomwares such as LockBit and Babuk, and has inspired several other ransomware strains including Nokoyawa and EXSiArgs. Its code has resurfaced in various other ransomware samples, indicating its widespread influence in the realm of malicious software. Furthermore, Rorschach operates under CryptNet, a Ransomware as a Service (RaaS) group, which claims to have the “fastest ransomware in the world,” a claim previously limited to Lockbit and Rorschach. This malware continues to pose a significant threat due to its speed, stealth, and ability to propagate autonomously.
Description last updated: 2024-05-04T19:41:58.501Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Babuk is a possible alias for Rorschach. Babuk is a form of malware, specifically ransomware, that infiltrates computer systems and encrypts files, rendering them inaccessible to the user. It typically infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operatio
4
Bablock is a possible alias for Rorschach. BabLock, also known as Rorschach, is a type of malware that operates as ransomware. First identified by Check Point Research in April 2023, this harmful software infiltrates computer systems and devices, often without the user's knowledge, with the aim to exploit, damage, and potentially hold data h
4
Rapture is a possible alias for Rorschach. Rapture is a prominent malware that has emerged as a significant threat in the cybersecurity landscape. It appears to have adapted and evolved from the Paradise crypto-locker source code, which leaked in mid-2021. Further enhancements were made using the Babuk source code that was leaked later the s
2
RTM Locker is a possible alias for Rorschach. RTM Locker is a recently emerged ransomware that targets enterprise systems, specifically Linux virtual machines on VMware ESXi servers. This malicious software was developed from the leaked source code of the now-defunct Babuk ransomware, which was made public by an alleged member of the Babuk grou
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Encryption
Ransom
Loader
Injector
Payload
Esxi
Linux
Windows
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lockbit Malware is associated with Rorschach. LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It typically enters through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage forUnspecified
6
The Rorschach Ransomware Malware is associated with Rorschach. The Rorschach ransomware, also known as BabLock, is a new and unique strain of malware that was first identified by Check Point Research (CPR) and the Check Point Incident Response Team (CPIRT) in April 2023. The ransomware, which was named after the famous psychological test due to its varied appeaUnspecified
4
The Lockbit v.3 Malware is associated with Rorschach. LockBit v.3 is a type of malware, specifically ransomware, that poses significant threats to computer systems and devices. It infiltrates systems through dubious downloads, emails, or websites, often without the user's awareness. Once inside, it can steal personal information, disrupt operations, orUnspecified
2
Source Document References
Information about the Rorschach Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
8 months ago
Securityaffairs
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
Checkpoint
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago