Menu
Browse

Cyber Threat Actor: Rorschach ransomware gang

Aliases: 4 aliases
Actor Type Location Known Incidents
 Icon
Criminal
United States of America
2 incidents
Profile

The Rorschach ransomware gang, also known as BabLock, operates as a financially motivated cybercriminal group linked to attacks in the United States and internationally. Public reporting attributes this actor to disruptive ransomware campaigns targeting critical infrastructure providers, leveraging aggressive encryption tactics to pressure victims into paying ransoms. The group’s use of the "Rorschach" moniker references the distinct branding of their ransomware payloads, though they have interchangeably employed the BabLock alias in some operations.

This threat actor has demonstrated a focus on telecommunications and technology sectors, as evidenced by their 2023 breach of a major Chilean telecommunications company. In that incident, the gang disrupted Infrastructure-as-a-Service (IaaS) platforms, causing partial outages in VoIP, VPN, and television services. Their operational tradecraft includes exploiting DLL sideloading vulnerabilities in legitimate security software such as Trend Micro and BitDefender to bypass defenses. Attack chains involved injecting malicious payloads through Notepad processes to accelerate file encryption, indicating a deliberate effort to maximize operational tempo before detection. Chile’s national CSIRT confirmed the gang deployed tailored indicators of compromise, including malicious executables designed for rapid lateral movement within compromised environments.

Rorschach’s activities align with typical ransomware objectives of financial extortion, though their selection of high-impact infrastructure targets suggests an intentional strategy to amplify disruption. The Chilean telecom attack required the victim organization to isolate its IaaS platform by disconnecting critical systems, reflecting the gang’s ability to force operational shutdowns. While their affiliation with other criminal entities remains unconfirmed, the reuse of BabLock-associated techniques points to possible overlaps with established ransomware ecosystems. No publicly available evidence links the group to state-sponsored actors, with all reported incidents attributed to criminal profit motives. Security advisories following their campaigns emphasize detecting sideloading patterns and unauthorized Notepad-process-related payload executions as primary mitigation priorities.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
0 sources