Rorschach Ransomware Will Lock Victim Files

ransomware

Ransomware called Rorschach or BabLock is utilized by cyber attackers to encrypt files, particularly targeting small and medium-sized businesses, as well as industrial companies. In addition to encrypting data, this malware also appends a random string of characters and a two-digit number to the end of filenames. For instance, it renames "1.jpg" to "1.jpg.slpqne.37", "2.png" to "2.png.slpqne.39", etc. The appended string of random characters can differ depending on the variant of ransomware.

When the system is hacked, the Rorschach ransomware drops a ransom note on the desktop ("_r_e_a_d_m_e.txt") and alters the desktop wallpaper. The ransom note indicates that data has been encrypted, backups have been removed, and confidential information has been downloaded by the hackers. It also advises victims not to report to the police, FBI, or other authorities until the ransom is paid.

Furthermore, the ransom note discourages victims from contacting data recovery companies as they are viewed as middlemen who will deceive them. The note warns victims not to try decrypting files or changing the file extension as it will lead to permanent data loss. The ransom note provides an email address for victims to contact threat actors and send several files for test decryption.

The ransom note ends with a threat that if the ransom is not paid, the cybercriminals will strike the company again and delete all data from their networks.

Rorschach Ransom Note Indicates Its Operators Target Companies

The full text of the Rorschach ransom note reads as follows:

Decryption ID: -

Hi, since you are reading this it means you have been hacked.
In addition to encrypting all your systems, deleting backups, we also downloaded your confidential information.
Here's what you shouldn't do:
1) Contact the police, fbi or other authorities before the end of our deal.
2) Contact the recovery company so that they would conduct dialogues with us. (This can slow down the recovery, and put our communication to naught). Don't go to recovery companies, they are essentially just middlemen who will make money of you and cheat you.We are well aware of cases where recovery companies tell you that the ransom price is 5 million dollars, but in fact they secretly negotiate with us for 1 million dollars, so they earn 4 million dollars from you. If you approached us directly without intermediaries you would pay 5 times less, that is 1 million dollars.
3) Do not try to decrypt the files yourself, as well as do not change the file extension yourself !!! This can lead to the impossibility of their decryption.

Here's what you should do right after reading it:
1) If you are an ordinary employee, send our message to the CEO of the company, as well as to the IT department.
2) If you are a CEO, or a specialist in the IT department, or another person who has weight in the company, you should contact us within 24 hours by email.

If you do not pay the ransom, we will attack your company again in the future.In a few weeks, we will simply repeat our attack and delete all your data from your networks, WHICH WILL LEAD TO THEIR UNAVAILABILITY!

As a guarantee that we can decrypt the files, we suggest that you send several files for free decryption.
Mails to contact us(Write the decryption ID in the title of your message):
1)wvpater@onionmail.org
2)wvpater1@onionmail.org

How is Ransomware Like Rorschach Usually Distributed?

Ransomware like Rorschach is typically distributed through phishing emails, malicious attachments, or links to infected websites. The attackers may use social engineering tactics to trick victims into downloading and executing the malware, such as disguising the ransomware as a legitimate software update or offering a tempting incentive in exchange for clicking on a link.

In some cases, the attackers may also exploit vulnerabilities in outdated software to gain access to a victim's system and install the ransomware. It is important to keep your operating system and all software up to date, use anti-virus software, and be cautious of suspicious emails and websites to reduce the risk of ransomware infection.

By Zaib
April 7, 2023
Ransomware
English
April 7, 2023
Ransomware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Ransomware

DARKY LOCK Ransomware

DARKY LOCK ransomware is the name of a newly discovered strain of file-encrypting malware. According to researchers, the new variant is a member of the Babuk family of ransomware clones. DARKY LOCK will perform as... Read more

July 12, 2022
Ransomware

Lock Ransomware Lists No Ransom But Don't Get Excited

There is a new version of the Babuk ransomware in the wild, called the Lock ransomware. The new strain behaves as expected, encrypting files on the victim system. Affected extensions include media files, documents,... Read more

November 9, 2022
Ransomware

Dazx Ransomware Encrypts Victim Files

During our assessment of malware samples submitted to online threat databases, we identified Dazx, a new strain of ransomware that belongs to the Djvu family. The primary objective of Dazx is to encrypt files, and it... Read more

March 17, 2023
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.