Rorschach Ransomware Will Lock Victim Files
Ransomware called Rorschach or BabLock is utilized by cyber attackers to encrypt files, particularly targeting small and medium-sized businesses, as well as industrial companies. In addition to encrypting data, this malware also appends a random string of characters and a two-digit number to the end of filenames. For instance, it renames "1.jpg" to "1.jpg.slpqne.37", "2.png" to "2.png.slpqne.39", etc. The appended string of random characters can differ depending on the variant of ransomware.
When the system is hacked, the Rorschach ransomware drops a ransom note on the desktop ("_r_e_a_d_m_e.txt") and alters the desktop wallpaper. The ransom note indicates that data has been encrypted, backups have been removed, and confidential information has been downloaded by the hackers. It also advises victims not to report to the police, FBI, or other authorities until the ransom is paid.
Furthermore, the ransom note discourages victims from contacting data recovery companies as they are viewed as middlemen who will deceive them. The note warns victims not to try decrypting files or changing the file extension as it will lead to permanent data loss. The ransom note provides an email address for victims to contact threat actors and send several files for test decryption.
The ransom note ends with a threat that if the ransom is not paid, the cybercriminals will strike the company again and delete all data from their networks.
Rorschach Ransom Note Indicates Its Operators Target Companies
The full text of the Rorschach ransom note reads as follows:
Decryption ID: -
Hi, since you are reading this it means you have been hacked.
In addition to encrypting all your systems, deleting backups, we also downloaded your confidential information.
Here's what you shouldn't do:
1) Contact the police, fbi or other authorities before the end of our deal.
2) Contact the recovery company so that they would conduct dialogues with us. (This can slow down the recovery, and put our communication to naught). Don't go to recovery companies, they are essentially just middlemen who will make money of you and cheat you.We are well aware of cases where recovery companies tell you that the ransom price is 5 million dollars, but in fact they secretly negotiate with us for 1 million dollars, so they earn 4 million dollars from you. If you approached us directly without intermediaries you would pay 5 times less, that is 1 million dollars.
3) Do not try to decrypt the files yourself, as well as do not change the file extension yourself !!! This can lead to the impossibility of their decryption.
Here's what you should do right after reading it:
1) If you are an ordinary employee, send our message to the CEO of the company, as well as to the IT department.
2) If you are a CEO, or a specialist in the IT department, or another person who has weight in the company, you should contact us within 24 hours by email.
If you do not pay the ransom, we will attack your company again in the future.In a few weeks, we will simply repeat our attack and delete all your data from your networks, WHICH WILL LEAD TO THEIR UNAVAILABILITY!
As a guarantee that we can decrypt the files, we suggest that you send several files for free decryption.
Mails to contact us(Write the decryption ID in the title of your message):
How is Ransomware Like Rorschach Usually Distributed?
Ransomware like Rorschach is typically distributed through phishing emails, malicious attachments, or links to infected websites. The attackers may use social engineering tactics to trick victims into downloading and executing the malware, such as disguising the ransomware as a legitimate software update or offering a tempting incentive in exchange for clicking on a link.
In some cases, the attackers may also exploit vulnerabilities in outdated software to gain access to a victim's system and install the ransomware. It is important to keep your operating system and all software up to date, use anti-virus software, and be cautious of suspicious emails and websites to reduce the risk of ransomware infection.