Cybersecurity firms Group-IB and Checkpoint each published a blogpost, on April 4, 2023, about a novel ransomware. The European Digital Forensics and Incident Response (DFIR) team at Group-IB, based in Amsterdam, made the discovery in mid-January, 2023, while investigating an attack against a European manufacturer.
Researchers at Group-IB dubbed it BabLock, as its Linux and ESXi versions bear similarities to the Babuk ransomware. They added “Lock”, as a reference to this new group’s particular MO, which encrypts infected systems without extracting data. Checkpoint identified the ransomware during an attack on a US company, and named it Rorschach.
“The BabLock group (uncovered as “Rorschach” by Checkpoint), as opposed to most of its ‘industry peers’, does not use Dedicated Leak Sites (DLS) and communicates with its victims by email,” explains Group-IB.
This lack of DLS and the relatively low ransoms demanded (50K to 1M dollars) allow the cybercriminal group to fly under the radar. According to Group-IB, the ransomware has been active in some form since June 2022, but its inception goes back to 2021.
The ransomware also stands out due to its high level of sophistication and stealth. According to Checkpoint, it “picked up some of the best features of the main ransomware available online and melded them together”. It would also appear to be “autonomous in part, able to run tasks that normally require a human hand when ransomware is deployed.”
“This ransomware is highly customizable and has unique technical features, such as direct system requests, which are rarely seen in ransomware. Furthermore, thanks to various implementation methods, Rorschach is one of the fastest ransomwares ever observed, in terms of encryption speeds,” adds Checkpoint. The ransomware is believed to encrypt data 30% faster than LockBit 3.0, which is renowned for its speed.
Researchers found Rorschach/BabLock samples in Europe (France, Italy, Luxemburg, Austria), the United States, Asia and the Middle East. Analyses have offered no indication as to its origin. Yet Group-IB specifies that the ransomware was designed to avoid encrypting “devices using Russian and other USSR-era languages.” All eyes therefore turn once again to Moscow.