Rorschach ransomware can cause data loss permanently if victims do not have backups

Rorschach or BabLock ransomware encrypts files and targets small and medium-sized businesses and industrial companies. This malware appends a two-digit number and a random string of characters to the end of filenames in addition to encryption.
The ransomware also alters the desktop wallpaper and drops a ransom note called _r e a d m e.txt. The file name picture.jpg, for example, is transformed to picture.jpg.hyuhvw.37, but the appended characters vary depending on the variant of the ransomware.
| NAME | Rorschach |
| TYPE | Ransomware, data locking virus, crypto virus |
| FILE EXTENSION | Random string and a two-digit number |
| RANSOM NOTE | _r_e_a_d_m_e.txt |
| RANSOM AMOUNT | $50,000 – $1,000,000 |
| DISTRIBUTION | Infected email attachments, peer-to-peer file-sharing platforms, torrents, malicious ads |
| FILE RECOVERY | It is next to impossible to recover the files if you do not have backups or the decryption keys were not leaked; in some cases, recovery is successful with third-party software |
| ELIMINATION | Scan your machine with anti-malware software to eliminate the virus safely; this will not recover the locked files |
| SYSTEM FIX | You can avoid Windows reinstallation with FortectIntego maintenance tool, which can fix damaged files and system errors |
The ransom note
Rorschach ransomware drops a ransom note _r_e_a_d_m_e.txt which reads as follows:
Decryption ID: –
Hi, since you are reading this it means you have been hacked.
In addition to encrypting all your systems, deleting backups, we also downloaded your confidential information.
Here's what you shouldn't do:
1) Contact the police, fbi or other authorities before the end of our deal.
2) Contact the recovery company so that they would conduct dialogues with us. (This can slow down the recovery, and put our communication to naught). Don't go to recovery companies, they are essentially just middlemen who will make money of you and cheat you.We are well aware of cases where recovery companies tell you that the ransom price is 5 million dollars, but in fact they secretly negotiate with us for 1 million dollars, so they earn 4 million dollars from you. If you approached us directly without intermediaries you would pay 5 times less, that is 1 million dollars.
3) Do not try to decrypt the files yourself, as well as do not change the file extension yourself !!! This can lead to the impossibility of their decryption.Here's what you should do right after reading it:
1) If you are an ordinary employee, send our message to the CEO of the company, as well as to the IT department.
2) If you are a CEO, or a specialist in the IT department, or another person who has weight in the company, you should contact us within 24 hours by email.If you do not pay the ransom, we will attack your company again in the future.In a few weeks, we will simply repeat our attack and delete all your data from your networks, WHICH WILL LEAD TO THEIR UNAVAILABILITY!
As a guarantee that we can decrypt the files, we suggest that you send several files for free decryption.
Mails to contact us(Write the decryption ID in the title of your message):
1)wvpater@onionmail.org
2)wvpater1@onionmail.org
The ransom note begins with a decryption ID, which indicates that the victim's systems have been compromised and all files have been encrypted. The attackers also claim to have obtained sensitive information. The note then lists a number of things the victim should not do, such as contact authorities or recovery organizations. The attackers attempt to discourage the victim from contacting recovery companies, implying that they are essentially middlemen who will defraud them.
The note then instructs the victim to forward the message to the company's CEO or the IT department if they are a regular employee. If the victim is a CEO, an IT specialist, or someone with clout in the company, they should contact the attackers via email within 24 hours. If the ransom is not paid, the attackers threaten to attack the company again, resulting in the loss of all data on the network.
The attackers suggest sending a few files for free decryption as a guarantee that they can decrypt the files. The ransom note includes two email addresses for contacting the attackers and instructs the victim to include the decryption ID in the message's title.
If a person becomes infected with ransomware and receives a ransom note, they should not become alarmed. To prevent the ransomware from spreading, they should first disconnect their device from the internet and other devices. They should also avoid paying the ransom because the attackers cannot guarantee that the files will be decrypted.

Protect yourself against ransomware attacks
Although the exact methods used to spread Rorschach ransomware are unknown, cybercriminals generally employ certain tactics. Malware is typically delivered via an executable file (.exe) hidden in a zip folder, embedded in the macros of a Microsoft Office document, or disguised as a viable attachment such as a fax. This frequently occurs because users are unaware of security risks and make mistakes.
Some people install “cracked” software[1] to avoid paying for licenses, unaware that the sites where these programs are distributed are breeding grounds for malware and potentially unwanted programs (PUPs).[2] These websites are unregulated and dangerous, with almost all downloads containing malicious files.
Hackers frequently use the operating system or software vulnerabilities to distribute ransomware, making it critical to keep everything up to date. Software developers release security updates on a regular basis to address newly discovered vulnerabilities, leaving unpatched systems vulnerable to attack.
It is critical to be cautious and not believe everything you see, as threat actors use a variety of phishing techniques to entice people. This could be a malicious email attachment or a malicious URL. Fraudsters can even use a victim's friend list to appear more legitimate. Before opening anything, it's best to double-check with the sender via another platform, as it could potentially compromise the entire local network.
Use professional security tools to eliminate malicious files
The most important step is to disconnect the affected device from the local network. For home users, simply unplugging the Ethernet cable should suffice. However, for businesses, this process may be more complex, and instructions for corporate environments are provided below.
Attempting to recover data before removing the malicious files can result in permanent loss of data, and the ransomware may encrypt files again. Removing the malware should be the first priority, and it is recommended to seek professional assistance if inexperienced.
To remove the ransomware, utilize anti-malware tools like SpyHunterCombo Cleaner or MalwarebytesMalwarebytes to scan your system. These tools should detect and automatically remove all related files and entries. In some cases, the malware may prevent antivirus software from functioning normally, so it may be necessary to access Safe Mode and conduct a full system scan from there.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on the Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find the Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Click Restart.
- Press 5 or click 5) Enable Safe Mode with Networking.
Fix system errors
Malware infections can cause various issues, such as performance degradation, stability problems, and usability errors, which can be severe enough to require a complete reinstallation of the Windows operating system. These infections can alter the registry database, damage essential bootup sections, delete or corrupt DLL files, and more. Unfortunately, once malware damages a system file, antivirus software is unable to repair it.
To address these problems, FortectIntego was developed to repair much of the damage caused by a malware infection. Errors such as Blue Screen,[3] freezes, registry errors, damaged DLLs, and others can render a computer unusable. However, by utilizing this maintenance tool, users can avoid the need for a complete Windows reinstallation.
File recovery options
Anti-malware tools are not intended for file restoration, despite what many people believe. They can only identify suspicious processes and remove malicious files. File decryption requires a decryption key or software that is only available to cyber criminals.
If you did not back up your data, it is possible that you have lost it permanently. While data recovery software may be able to restore some files, third-party applications do not always have the capability to decrypt them. However, it is still worth attempting to recover your data using this method. Before proceeding, ensure that you have removed the Rorschach ransomware and make a copy of the corrupted files to a USB flash drive or other storage devices.
Before you begin, several pointers are essential while dealing with this situation:
- Since the encrypted data on your computer might permanently be damaged by security or data recovery software, you should first make backups of it – use a USB flash drive or another storage.
- Only attempt to recover your files using this method after you perform a scan with anti-malware software.
Install data recovery software
- Download Data Recovery Pro.
- Double-click the installer to launch it.
- Follow on-screen instructions to install the software.

- As soon as you press Finish, you can use the app.
- Select Everything or pick individual folders where you want the files to be recovered from.

- Press Next.
- At the bottom, enable Deep scan and pick which Disks you want to be scanned.

- Press Scan and wait till it is complete.
- You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
- Press Recover to retrieve your files.

Was this guide helpful?
Be the first to comment