Rorschach Ransomware

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
The Rorschach ransomware, also known as BabLock, is a new and unique strain of malware that was first identified by Check Point Research (CPR) and the Check Point Incident Response Team (CPIRT) in April 2023. The ransomware, which was named after the famous psychological test due to its varied appearance to different examiners, has been used in attacks against US-based companies. Notably, it supports the fastest file-encrypting routine observed to date, making it particularly damaging. The malware operates through an encrypted file, config.ini, which contains all the logic and configuration for the ransomware. Rorschach ransomware's deployment process is distinctive, bearing some similarity to features implemented by LockBit 2.0, but carried out differently. This, along with the lack of branding, makes it difficult to attribute the ransomware to any known operators or developers, who remain unidentified. When infecting a machine, Harmony Endpoint Anti-ransomware detected the encryption process in various folders, including alterations made to Harmony Endpoint 'honeypot' files. This strain of ransomware has drawn attention for its targeted approach. Similar to the ALPHV/BlackCat, ESXiArgs, LockBit, Play, Rook, Black Basta, Defray, MichaelKors, and other ransomware gangs, Rorschach ransomware has shown a preference for VMware ESXi and Linux systems. Most notably, it was involved in an attack on GTD, as reported by BleepingComputer. Despite the increasing prevalence of this ransomware variant, the identities of the operators and developers behind these attacks remain unknown.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Bablock
1
BabLock, also known as Rorschach, is a type of malware that operates as ransomware. First identified by Check Point Research in April 2023, this harmful software infiltrates computer systems and devices, often without the user's knowledge, with the aim to exploit, damage, and potentially hold data h
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Encryption
Windows
Esxi
RaaS
Injector
Antivirus
Vmware
Esxiargs
Linux
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
RorschachUnspecified
4
Rorschach, also known as BabLock, is a malware variant that has been recognized for its speed and sophistication. It is a form of ransomware that encrypts files on infected systems at an unprecedented rate, with Check Point researchers noting it as one of the fastest ransomware variants ever observe
LockbitUnspecified
4
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
RookUnspecified
1
Rook is a malicious software (malware) linked to several ransomware activities, including LockFile, AtomSilo, Night Sky, and Pandora. These activities are associated with the deployment of HUI Loader, which has been used in loading Cobalt Strike Beacon. A CTU analysis revealed that these five ransom
BabukUnspecified
1
Babuk is a type of malware, specifically ransomware, which is designed to infiltrate systems and hold data hostage for ransom. It can be delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, Babuk can disrupt operations and steal perso
REvilUnspecified
1
REvil is a notorious form of malware, specifically ransomware, that infiltrates systems to disrupt operations and steal data. The ransomware operates on a Ransomware as a Service (RaaS) model, which gained traction in 2020. In this model, REvil, like other first-stage malware such as Dridex and Goot
RTM LockerUnspecified
1
RTM Locker is a recently emerged ransomware that targets enterprise systems, specifically Linux virtual machines on VMware ESXi servers. This malicious software was developed from the leaked source code of the now-defunct Babuk ransomware, which was made public by an alleged member of the Babuk grou
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AlphvUnspecified
1
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
DefrayUnspecified
1
Defray is a malicious threat actor group, also known as Hive0091, that operates various ransomware strains such as Defray, Ryuk, and BitPaymer. They are also responsible for the RansomExx operation, PyXie malware, and Vatet loader. The cybersecurity industry identifies this group as a significant pl
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Rorschach Ransomware Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
New Money Message Ransomware Gang Hits MSI, Threatens of Data Leak
Securityaffairs
a year ago
Rorschach ransomware has the fastest file-encrypting routine to date
CERT-EU
a year ago
VMware ESXi, Linux systems targeted by new MichaelKors RaaS operation | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware – National Cyber Security Consulting
CERT-EU
9 months ago
Chilean telecom giant GTD hit by the Rorschach ransomware gang
CERT-EU
9 months ago
Why rookie hackers are capitalizing on ransomware
CERT-EU
9 months ago
Significant Volt Typhoon threat requires immediate US critical infrastructure action
CERT-EU
9 months ago
Data breach reported by Seiko following ALPHV/BlackCat ransomware attack
CERT-EU
9 months ago
Rorschach ransomware attack disrupts major Chilean telecom provider
CERT-EU
9 months ago
US plastic surgeon clinic data exposed by Hunters International
CERT-EU
9 months ago
Adverse impact of proposed CISA budget cut warned by official
CERT-EU
a year ago
New ransomware strain believed to be fastest at executing encryption | IT World Canada News
CERT-EU
a year ago
New Rorschach ransomware hits with unique features and very fast encryption
CERT-EU
a year ago
In focus: MDR for finance
CERT-EU
a year ago
Mysterious 'Rorschach' Ransomware Doubles Known Encryption Speeds
CERT-EU
a year ago
Royal ransomware attack recovery in Dallas to take weeks
CERT-EU
a year ago
Leaked Babuk Code Fuels New Wave of VMware ESXi Ransomware
DARKReading
a year ago
Rorschach Ransomware: What You Need to Know
CERT-EU
a year ago
May ransomware activity rises behind 8base, LockBit gangs | TechTarget
Checkpoint
a year ago
Rorschach – A New Sophisticated and Fast Ransomware - Check Point Research