Rorschach Ransomware

The ransomware known as Rorschach, or BabLock, is designed to encrypt files and target small to medium-sized businesses, as well as industrial organizations. When Rorschach infects a system, it not only encrypts data but also adds a random string of characters followed by a two-digit number at the end of filenames. The purpose of this modification is to make it more difficult for victims to notice that their data has been locked.

Rorschach also drops a ransom note file called '_r_e_a_d_m_e.txt' and changes the current desktop background to further intimidate the victim. The appended string of random characters and the two-digit number may vary depending on the particular variant of the ransomware.

The Data Impacted by the Rorschach Ransomware Becomes Unusable

The ransom note left by the attackers on the infected system serves as a notification that their system has been compromised, their data has been encrypted, and their backups have been deleted. The note may also mention that confidential information has been stolen by the attackers.

The ransom note typically instructs victims not to contact the police, FBI, or other authorities until the ransom payment has been made. It may also discourage victims from contacting data recovery companies, claiming that they are intermediaries who will charge a large amount of money without providing any assistance.

The ransom note also warns victims not to attempt to decrypt the files themselves or modify the file extensions, as this may make it impossible to recover the encrypted data. The attackers provide two email addresses for victims to contact them and send a few files for test decryption - 'wvpater@onionmail.org' and 'wvpater1@onionmail.org.'

The ransom note contains a threat that if the ransom payment is not made, the attackers will launch another attack against the victim's system and delete all the data from their networks.

The Rorschach Ransomware can Infect Windows and Linux Systems

The Rorschach Ransomware is a sophisticated threat that is designed to spread automatically when executed on a Windows Domain Controller (DC). Once executed, the ransomware creates a Group Policy, which allows it to spread to other machines within the domain. This feature has previously been associated with another type of ransomware known as LockBit 2.0.

The Rorschach Ransomware is highly flexible and has optional arguments that enable it to adapt to the operator's needs. It also has unique functions, such as the use of direct system calls using the "syscall" instruction. These features make it very difficult to detect and defend against.

Additionally, the ransomware has several built-in options that are concealed and obscured, making them accessible only through reverse-engineering the malware. This may be intended for the convenience of the operators.

The Rorschach Ransomware uses a hybrid cryptography process that combines the curve25519 and eSTREAM cipher hc-128 algorithms to encrypt the victim's files. Unlike other ransomware, it only encrypts a certain part of the original file content, rather than the entire file. This makes the encryption process faster and more efficient.

It is important to note that the Rorschach Ransomware targets both Windows and Linux operating systems. The Linux variants of Rorschach have similarities to the Babuk Ransomware threat.

The full text of the ransom note delivered by Rorschach Ransomware is:

'Decryption ID:

Hi, since you are reading this it means you have been hacked.
In addition to encrypting all your systems, deleting backups, we also downloaded your confidential information.
Here's what you shouldn't do:
1) Contact the police, fbi or other authorities before the end of our deal.
2) Contact the recovery company so that they would conduct dialogues with us. (This can slow down the recovery, and put our communication to naught). Don't go to recovery companies, they are essentially just middlemen who will make money of you and cheat you.We are well aware of cases where recovery companies tell you that the ransom price is 5 million dollars, but in fact they secretly negotiate with us for 1 million dollars, so they earn 4 million dollars from you. If you approached us directly without intermediaries you would pay 5 times less, that is 1 million dollars.
3) Do not try to decrypt the files yourself, as well as do not change the file extension yourself !!! This can lead to the impossibility of their decryption.

Here's what you should do right after reading it:
1) If you are an ordinary employee, send our message to the CEO of the company, as well as to the IT department.
2) If you are a CEO, or a specialist in the IT department, or another person who has weight in the company, you should contact us within 24 hours by email.

If you do not pay the ransom, we will attack your company again in the future.In a few weeks, we will simply repeat our attack and delete all your data from your networks, WHICH WILL LEAD TO THEIR UNAVAILABILITY!

As a guarantee that we can decrypt the files, we suggest that you send several files for free decryption.
Mails to contact us(Write the decryption ID in the title of your message):
1)wvpater@onionmail.org
2)wvpater1@onionmail.org'