Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Apr 2023

How to remove Rorschach ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Gabriel E. Hall · Passionate web researcher

Rorschach ransomware can cause data loss permanently if victims do not have backups

Rorschach or BabLock ransomware encrypts files and targets small and medium-sized businesses and industrial companies. This malware appends a two-digit number and a random string of characters to the end of filenames in addition to encryption.

The ransomware also alters the desktop wallpaper and drops a ransom note called _r e a d m e.txt. The file name picture.jpg, for example, is transformed to picture.jpg.hyuhvw.37, but the appended characters vary depending on the variant of the ransomware.

NAME Rorschach
TYPE Ransomware, data locking virus, crypto virus
FILE EXTENSION Random string and a two-digit number
RANSOM NOTE _r_e_a_d_m_e.txt
RANSOM AMOUNT $50,000 – $1,000,000
DISTRIBUTION Infected email attachments, peer-to-peer file-sharing platforms, torrents, malicious ads
FILE RECOVERY It is next to impossible to recover the files if you do not have backups or the decryption keys were not leaked; in some cases, recovery is successful with third-party software
ELIMINATION Scan your machine with anti-malware software to eliminate the virus safely; this will not recover the locked files
SYSTEM FIX You can avoid Windows reinstallation with FortectIntego maintenance tool, which can fix damaged files and system errors

The ransom note

Rorschach ransomware drops a ransom note _r_e_a_d_m_e.txt which reads as follows:

Decryption ID: –

Hi, since you are reading this it means you have been hacked.
In addition to encrypting all your systems, deleting backups, we also downloaded your confidential information.
Here's what you shouldn't do:
1) Contact the police, fbi or other authorities before the end of our deal.
2) Contact the recovery company so that they would conduct dialogues with us. (This can slow down the recovery, and put our communication to naught). Don't go to recovery companies, they are essentially just middlemen who will make money of you and cheat you.We are well aware of cases where recovery companies tell you that the ransom price is 5 million dollars, but in fact they secretly negotiate with us for 1 million dollars, so they earn 4 million dollars from you. If you approached us directly without intermediaries you would pay 5 times less, that is 1 million dollars.
3) Do not try to decrypt the files yourself, as well as do not change the file extension yourself !!! This can lead to the impossibility of their decryption.

Here's what you should do right after reading it:
1) If you are an ordinary employee, send our message to the CEO of the company, as well as to the IT department.
2) If you are a CEO, or a specialist in the IT department, or another person who has weight in the company, you should contact us within 24 hours by email.

If you do not pay the ransom, we will attack your company again in the future.In a few weeks, we will simply repeat our attack and delete all your data from your networks, WHICH WILL LEAD TO THEIR UNAVAILABILITY!

As a guarantee that we can decrypt the files, we suggest that you send several files for free decryption.
Mails to contact us(Write the decryption ID in the title of your message):
1)wvpater@onionmail.org
2)wvpater1@onionmail.org

The ransom note begins with a decryption ID, which indicates that the victim's systems have been compromised and all files have been encrypted. The attackers also claim to have obtained sensitive information. The note then lists a number of things the victim should not do, such as contact authorities or recovery organizations. The attackers attempt to discourage the victim from contacting recovery companies, implying that they are essentially middlemen who will defraud them.

The note then instructs the victim to forward the message to the company's CEO or the IT department if they are a regular employee. If the victim is a CEO, an IT specialist, or someone with clout in the company, they should contact the attackers via email within 24 hours. If the ransom is not paid, the attackers threaten to attack the company again, resulting in the loss of all data on the network.

The attackers suggest sending a few files for free decryption as a guarantee that they can decrypt the files. The ransom note includes two email addresses for contacting the attackers and instructs the victim to include the decryption ID in the message's title.

If a person becomes infected with ransomware and receives a ransom note, they should not become alarmed. To prevent the ransomware from spreading, they should first disconnect their device from the internet and other devices. They should also avoid paying the ransom because the attackers cannot guarantee that the files will be decrypted.

Protect yourself against ransomware attacks

Although the exact methods used to spread Rorschach ransomware are unknown, cybercriminals generally employ certain tactics. Malware is typically delivered via an executable file (.exe) hidden in a zip folder, embedded in the macros of a Microsoft Office document, or disguised as a viable attachment such as a fax. This frequently occurs because users are unaware of security risks and make mistakes.

Some people install “cracked” software[1] to avoid paying for licenses, unaware that the sites where these programs are distributed are breeding grounds for malware and potentially unwanted programs (PUPs).[2] These websites are unregulated and dangerous, with almost all downloads containing malicious files.

Hackers frequently use the operating system or software vulnerabilities to distribute ransomware, making it critical to keep everything up to date. Software developers release security updates on a regular basis to address newly discovered vulnerabilities, leaving unpatched systems vulnerable to attack.

It is critical to be cautious and not believe everything you see, as threat actors use a variety of phishing techniques to entice people. This could be a malicious email attachment or a malicious URL. Fraudsters can even use a victim's friend list to appear more legitimate. Before opening anything, it's best to double-check with the sender via another platform, as it could potentially compromise the entire local network.

Use professional security tools to eliminate malicious files

The most important step is to disconnect the affected device from the local network. For home users, simply unplugging the Ethernet cable should suffice. However, for businesses, this process may be more complex, and instructions for corporate environments are provided below.

Attempting to recover data before removing the malicious files can result in permanent loss of data, and the ransomware may encrypt files again. Removing the malware should be the first priority, and it is recommended to seek professional assistance if inexperienced.

To remove the ransomware, utilize anti-malware tools like SpyHunterCombo Cleaner or MalwarebytesMalwarebytes to scan your system. These tools should detect and automatically remove all related files and entries. In some cases, the malware may prevent antivirus software from functioning normally, so it may be necessary to access Safe Mode and conduct a full system scan from there.

Windows 7 / Vista / XP

  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list.

Windows 10 / Windows 8

  1. Right-click on the Start button and select Settings.
  2. Scroll down to pick Update & Security.
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find the Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot.
  7. Go to Advanced options.
  8. Select Startup Settings.
  9. Click Restart.
  10. Press 5 or click 5) Enable Safe Mode with Networking.

Fix system errors

Malware infections can cause various issues, such as performance degradation, stability problems, and usability errors, which can be severe enough to require a complete reinstallation of the Windows operating system. These infections can alter the registry database, damage essential bootup sections, delete or corrupt DLL files, and more. Unfortunately, once malware damages a system file, antivirus software is unable to repair it.

To address these problems, FortectIntego was developed to repair much of the damage caused by a malware infection. Errors such as Blue Screen,[3] freezes, registry errors, damaged DLLs, and others can render a computer unusable. However, by utilizing this maintenance tool, users can avoid the need for a complete Windows reinstallation.

File recovery options

Anti-malware tools are not intended for file restoration, despite what many people believe. They can only identify suspicious processes and remove malicious files. File decryption requires a decryption key or software that is only available to cyber criminals.

If you did not back up your data, it is possible that you have lost it permanently. While data recovery software may be able to restore some files, third-party applications do not always have the capability to decrypt them. However, it is still worth attempting to recover your data using this method. Before proceeding, ensure that you have removed the Rorschach ransomware and make a copy of the corrupted files to a USB flash drive or other storage devices.

Before you begin, several pointers are essential while dealing with this situation:

  • Since the encrypted data on your computer might permanently be damaged by security or data recovery software, you should first make backups of it – use a USB flash drive or another storage.
  • Only attempt to recover your files using this method after you perform a scan with anti-malware software.

Install data recovery software

  1. Download Data Recovery Pro.
  2. Double-click the installer to launch it.
  3. Follow on-screen instructions to install the software.Install program
  4. As soon as you press Finish, you can use the app.
  5. Select Everything or pick individual folders where you want the files to be recovered from.Select what to recover
  6. Press Next.
  7. At the bottom, enable Deep scan and pick which Disks you want to be scanned.Select Deep scan
  8. Press Scan and wait till it is complete.
  9. You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
  10. Press Recover to retrieve your files.Recover files

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.