Rorschach Ransomware

Malware updated 4 months ago (2024-05-04T18:18:23.327Z)

Download STIX

Preview STIX

The Rorschach ransomware, also known as BabLock, is a new and unique strain of malware that was first identified by Check Point Research (CPR) and the Check Point Incident Response Team (CPIRT) in April 2023. The ransomware, which was named after the famous psychological test due to its varied appearance to different examiners, has been used in attacks against US-based companies. Notably, it supports the fastest file-encrypting routine observed to date, making it particularly damaging. The malware operates through an encrypted file, config.ini, which contains all the logic and configuration for the ransomware. Rorschach ransomware's deployment process is distinctive, bearing some similarity to features implemented by LockBit 2.0, but carried out differently. This, along with the lack of branding, makes it difficult to attribute the ransomware to any known operators or developers, who remain unidentified. When infecting a machine, Harmony Endpoint Anti-ransomware detected the encryption process in various folders, including alterations made to Harmony Endpoint 'honeypot' files. This strain of ransomware has drawn attention for its targeted approach. Similar to the ALPHV/BlackCat, ESXiArgs, LockBit, Play, Rook, Black Basta, Defray, MichaelKors, and other ransomware gangs, Rorschach ransomware has shown a preference for VMware ESXi and Linux systems. Most notably, it was involved in an attack on GTD, as reported by BleepingComputer. Despite the increasing prevalence of this ransomware variant, the identities of the operators and developers behind these attacks remain unknown.

Description last updated: 2024-05-04T18:03:44.361Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Encryption

Windows

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Rorschach	Unspecified	4	Rorschach, also known as BabLock, is a malware variant that has been recognized for its speed and sophistication. It is a form of ransomware that encrypts files on infected systems at an unprecedented rate, with Check Point researchers noting it as one of the fastest ransomware variants ever observe
Lockbit	Unspecified	4	LockBit is a malicious software, or malware, that has been notably active and damaging in the cyber world. Known for its ability to infiltrate systems often without detection, it can steal personal information, disrupt operations, and even hold data hostage for ransom. In the first half of 2024, Loc

Source Document References

Information about the Rorschach Ransomware Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	New Money Message Ransomware Gang Hits MSI, Threatens of Data Leak
Securityaffairs	a year ago	Rorschach ransomware has the fastest file-encrypting routine to date
CERT-EU	a year ago	VMware ESXi, Linux systems targeted by new MichaelKors RaaS operation \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware – National Cyber Security Consulting
CERT-EU	10 months ago	Chilean telecom giant GTD hit by the Rorschach ransomware gang
CERT-EU	10 months ago	Why rookie hackers are capitalizing on ransomware
CERT-EU	10 months ago	Significant Volt Typhoon threat requires immediate US critical infrastructure action
CERT-EU	10 months ago	Data breach reported by Seiko following ALPHV/BlackCat ransomware attack
CERT-EU	10 months ago	Rorschach ransomware attack disrupts major Chilean telecom provider
CERT-EU	10 months ago	US plastic surgeon clinic data exposed by Hunters International
CERT-EU	10 months ago	Adverse impact of proposed CISA budget cut warned by official
CERT-EU	a year ago	New ransomware strain believed to be fastest at executing encryption \| IT World Canada News
CERT-EU	a year ago	New Rorschach ransomware hits with unique features and very fast encryption
CERT-EU	a year ago	In focus: MDR for finance
CERT-EU	a year ago	Mysterious 'Rorschach' Ransomware Doubles Known Encryption Speeds
CERT-EU	a year ago	Royal ransomware attack recovery in Dallas to take weeks
CERT-EU	a year ago	Leaked Babuk Code Fuels New Wave of VMware ESXi Ransomware
DARKReading	a year ago	Rorschach Ransomware: What You Need to Know
CERT-EU	a year ago	May ransomware activity rises behind 8base, LockBit gangs \| TechTarget
Checkpoint	a year ago	Rorschach – A New Sophisticated and Fast Ransomware - Check Point Research