Rorschach Ransomware

Malware updated 7 months ago (2024-05-04T18:18:23.327Z)
Download STIX
Preview STIX
The Rorschach ransomware, also known as BabLock, is a new and unique strain of malware that was first identified by Check Point Research (CPR) and the Check Point Incident Response Team (CPIRT) in April 2023. The ransomware, which was named after the famous psychological test due to its varied appearance to different examiners, has been used in attacks against US-based companies. Notably, it supports the fastest file-encrypting routine observed to date, making it particularly damaging. The malware operates through an encrypted file, config.ini, which contains all the logic and configuration for the ransomware. Rorschach ransomware's deployment process is distinctive, bearing some similarity to features implemented by LockBit 2.0, but carried out differently. This, along with the lack of branding, makes it difficult to attribute the ransomware to any known operators or developers, who remain unidentified. When infecting a machine, Harmony Endpoint Anti-ransomware detected the encryption process in various folders, including alterations made to Harmony Endpoint 'honeypot' files. This strain of ransomware has drawn attention for its targeted approach. Similar to the ALPHV/BlackCat, ESXiArgs, LockBit, Play, Rook, Black Basta, Defray, MichaelKors, and other ransomware gangs, Rorschach ransomware has shown a preference for VMware ESXi and Linux systems. Most notably, it was involved in an attack on GTD, as reported by BleepingComputer. Despite the increasing prevalence of this ransomware variant, the identities of the operators and developers behind these attacks remain unknown.
Description last updated: 2024-05-04T18:03:44.361Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Encryption
Windows
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Rorschach Malware is associated with Rorschach Ransomware. Rorschach, also known as BabLock, is a malware variant that has been recognized for its speed and sophistication. It is a form of ransomware that encrypts files on infected systems at an unprecedented rate, with Check Point researchers noting it as one of the fastest ransomware variants ever observeUnspecified
4
The Lockbit Malware is associated with Rorschach Ransomware. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit Unspecified
4
Source Document References
Information about the Rorschach Ransomware Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
2 years ago
Securityaffairs
2 years ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
DARKReading
a year ago
CERT-EU
a year ago
Checkpoint
2 years ago