Rorschach Ransomware: How to Handle the Fastest Encryptor So Far

Rorschach ransomware, also known as BabLock, is a new malware that targets small and medium size businesses. This is a particularly dangerous cyber threat due to its encryptor speed.

The BabLock ransomware is calling the attention of cybersecurity professionals and IT experts due to its sophisticated and fast-moving attack chain.

Rorschach has an effective encryption algorithm, and enterprises of all sizes must be aware of Rorschach ransomware techniques to prevent it.

What kind of malware is Rorschach?

Rorschach is ransomware, which is a type of malware that encrypts and locks the victims’ files and then requests a ransom in exchange for the decryption key.

It was first seen in June 2022 and experts were astonished as it has a unique encryption technique. It has multiple extension variations, including numerical increments from 00-99 after the fixed encryption extension. This means that a single infected machine has several ransomware extensions.

Rorschach ransomware does not seem to have a relation with any other ransomware family or group. It also does not have any brand, unlike other ransomware groups.

Rorschach overviews

Confirmed Name

• BabLock ransomware

Threat Type

• Ransomware
• Crypto Virus
• Files locker

Encrypted Files Extension

• Random string and a two-digit number

Ransom Demanding Message

•  _r_e_a_d_m_e.txt

Is There a Free Decryptor Available?

• No

Detection Names

• Avast Win64:RansomX-gen [Ransom]
• Emsisoft Gen:Variant.Lazy.228670 (B)
• Kaspersky Trojan.Win64.DLLhijack.cw
• Malwarebytes Malware.AI.3750245446

Symptoms

• Can’t open files stored on the computer
• Ransom demand letter on the desktop and every folder
• Files have a new extension of random letters and two numbers from 00-99
• A note with instructions pops up when the victim tries to open an encrypted file

Distribution methods

• Vulnerable remote access (such as RDP)
• Infected email attachments (phishing emails)
• Torrent websites (infected links or files)
• Malicious ads (malvertising)

Consequences

• Files are encrypted and locked until the ransom payment
• Password stealing
• Additional malware can be installed
• Data leak

Prevention

• Antivirus and anti-malware
• Updated software
• Updated operating system (OS)
• Firewalls
• Don’t open an email attachment from an unknown source
• Do not download files from suspicious websites
• Don’t click on ads unless you’re sure it’s safe
• Only access websites from trustworthy sources

How did Rorschach infect your computer

Rorschach ransomware finds its way into your computer or network through many methods:

• Trojans. A trojan is a software that promises to perform one task but executes a different one, mostly malicious. They take the form of fake programs, attachments, and other types of files, deceiving victims.

• Vulnerable remote service. One more way Rorschach ransomware attacks happen is through unsecured external remote services. Attackers will exploit Remote Desktop Protocol (RDP) tools whose credentials are known, reused, weak, or rephrased to gain access to businesses’ networks and leak data.

• Known software vulnerabilities. Hackers use software with known vulnerabilities to attack businesses as well. That’s why it’s very important to also keep every software updated and protect remote administration tools like RDP. In the BabLock ransomware case, the group uses the legit security tool in Palo Alto Networks’ Cortex XDR as the initial attack method.

Rorschach ransom note

Besides the text file with the ransom note, the Rorschach ransomware also changes the desktop wallpaper to a text telling victims to open the file for more information.

Decryption ID: –

Hi, since you are reading this it means you have been hacked.

In addition to encrypting all your systems, deleting backups, we also downloaded your confidential information.

Here’s what you shouldn’t do:

1) Contact the police, fbi or other authorities before the end of our deal.

2) Contact the recovery company so that they would conduct dialogues with us. (This can slow down the recovery, and put our communication to naught). Don’t go to recovery companies, they are essentially just middlemen who will make money of you and cheat you.We are well aware of cases where recovery companies tell you that the ransom price is 5 million dollars, but in fact they secretly negotiate with us for 1 million dollars, so they earn 4 million dollars from you. If you approached us directly without intermediaries you would pay 5 times less, that is 1 million dollars.

3) Do not try to decrypt the files yourself, as well as do not change the file extension yourself !!! This can lead to the impossibility of their decryption.

Here’s what you should do right after reading it:

1) If you are an ordinary employee, send our message to the CEO of the company, as well as to the IT department.

2) If you are a CEO, or a specialist in the IT department, or another person who has weight in the company, you should contact us within 24 hours by email.

If you do not pay the ransom, we will attack your company again in the future.In a few weeks, we will simply repeat our attack and delete all your data from your networks, WHICH WILL LEAD TO THEIR UNAVAILABILITY!

As a guarantee that we can decrypt the files, we suggest that you send several files for free decryption.

Mails to contact us(Write the decryption ID in the title of your message)

How does Rorschach ransomware work

Rorschach (BabLock) ransomware deployed on infected machines a multicomponent package (winutils.dll) with files like:

• The encrypted ransomware file (config.ini)
• DarkLoader, a decryptor and ransomware injector
• A non-malicious executable
• A CMD file to execute the non-malicious binary using the correct password

It’s subtle ransomware, not having many cases in 2022, staying under the radar. However, in April 2023 it has reach the news as being the fastest ransomware encryptor so far.

BabLock is a very sophisticated ransomware and easy to distingue due to its unique encryption, such as adding a number from 00-99 to the extension. Also, it is highly customizable

1. Security Solution Evasion

Rorschach spawns process runs in Suspended mode and gives out falsified arguments – a repeating string of the digit 1. The goal is to rewrite in memory, stoping a predefined list of tasks, clear Windows Security System and Windows Powershell, and disable Windows firewall.

2. Self-propagation

Rorschach ransomware will then spread itself to other machines within the domain. After that, it copies itself into the %Public% folder of every device on the domain.

The BabLock ransomware encryption process takes an average of 4 minutes, while LockBit 3.0, also a very fast ransomware, takes around 7 minutes to encrypt files on victims’ computers.

Prevent the Rorschach ransomware attack

Preventing ransomware attacks is easier and cheaper than recovering from them. Rorschach ransomware can cost your business’s future and even close its doors.

The Rorschach gang targets US hospitals to steal 1 million patients’ data and exploit vulnerabilities known as zero-day. These are software breaches that developers correct through new updates. According to HHS, in 2022 more than 289 hospitals were victims of Rorschach.

This means you must keep updated software to protect your data against Rorschach ransomware. However, cybercriminals can be faster sometimes and reach victims before an update is released.

1. Use strong passwords

Make sure each account has its password created randomly with a mix of numbers, letters, and special characters to prevent unauthorized access.

2. Keep software updated

As mentioned before, software updates can close vulnerabilities that cyberattackers can exploit to enter your business network. Keeping software updated will increase your system security.

3. Schedule regular backups

Backups are the most efficient way to restore your data, no matter if you lost it due to a natural disaster or cyberattack. They are also the fastest method to get back to work after a disaster such as a Rorschach attack.

4. Use a cybersecurity solution

Hiring a cyber security service or having an IT team to keep your data safe will prevent cyber attackers from accessing your data. These professionals can scan your system for vulnerabilities and create measures to improve your business cybersecurity protocols and awareness.

5. Have a recovery plan in hand

A data recovery plan (DRP) is a document that sets strategies on how to handle disasters such as ransomware attacks. They allow faster recovery and business continuity.

See how to create a data recovery plan with our in-depth guide.

How to handle a Rorschach ransomware attack

The first step to recover from the Rorschach attack is to isolate the infected computer by disconnecting from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).

To report a ransomware attack you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with Rorschach actors (if you have them)
• A sample of an encrypted file

You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

After isolating the device and contacting authorities, you must follow the next steps to retrieve your data:

1. Contact your Incident Response Retainer

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively in the event of a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. The specific nature and structure of an incident response retainer will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

2. Identify the ransomware infection

You can check which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), or it will be on the ransom note. With this information, you can look for a public decryption key. In the case of the Rorschach ransomware, Linux-based systems have a decryptor.

3. Remove the ransomware and eliminate exploit kits

Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.

4. Use a backup to restore the data

Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.

5. Contact a ransomware recovery service

If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, you should contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup of it. If you don’t, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and guarantee Rorschach ransomware does not attack your network again.

Contact our experts 24/7 for emergency recovery service or find a recovery center near you.