{ "id": "5fe9a890-d126-4b2b-ac06-fe4b85a471e6", "created_at": "2026-04-06T00:06:34.627287Z", "updated_at": "2026-04-10T03:32:06.141842Z", "deleted_at": null, "sha1_hash": "12dd77439b7143070ca07aaace3957622e87e4bc", "title": "An Analysis of the BabLock Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2092720, "plain_text": "An Analysis of the BabLock Ransomware\r\nBy Don Ovid Ladores, Byron Gelera ( words)\r\nPublished: 2023-04-18 · Archived: 2026-04-05 22:42:02 UTC\r\nRansomware\r\nAn Analysis of the BabLock (aka Rorschach) Ransomware\r\nThis blog post analyzes a stealthy and expeditious ransomware called BabLock (aka Rorschach), which shares\r\nmany characteristics with LockBit.\r\nBy: Don Ovid Ladores, Byron Gelera Apr 18, 2023 Read time: 6 min (1583 words)\r\nSave to Folio\r\nA ransomware called BabLock (aka Rorschach) has recently been making wavesnews article due to its\r\nsophisticated and fast-moving attack chain that uses subtle yet effective techniques. Although primarily based on\r\nLockBitnews article, the ransomware is a hodgepodge of other different ransomware parts pieced together into\r\nwhat we now call BabLock (detected as Ransom.Win64.LOCKBIT.THGOGBB.enc). Note, however, that we do\r\nnot believe that this ransomware originates from the threat actors behind LockBit, which is now in its third\r\niteration.\r\nIn this blog entry, we look at its attack chain in detail and examine its likely origins.\r\nDiscovery\r\nIn June 2022, we discovered a ransomware (which turned out to be BabLock) using what appeared to be a unique\r\nstyle of appending extensions, where instead of the normal “one sample, one extension” method commonly used\r\nin ransomware attacks, we discovered that the attackers were appending numerical increments from 00-99 on top\r\nof the fixed ransomware extension for this specific infection. As a result, even on a single infected machine, there\r\ncould be multiple extension variations from a single execution.\r\nhttps://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html\r\nPage 1 of 9\n\nopen on a new tab\r\nFigure 1. The ransomware’s unique trait showing numerical increments for the extension\r\nOur investigation found that the ransomware was always deployed as a multi-component package consisting\r\nmostly of the following files:\r\nThe encrypted ransomware file, config.ini\r\nA malicious sideloaded DLL (DarkLoader, a config.ini decryptor and ransomware injector)\r\nA non-malicious executable used to load the malicious DLL\r\nA CMD file to execute the non-malicious binary using the correct password\r\nopen on a new tab\r\nFigure 2. The main ransomware package found during one instance of infection\r\nhttps://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html\r\nPage 2 of 9\n\nThe DarkLoader DLL will check for specific commands, particularly --run, which checks for the correct 4-digit\r\npassword needed to start the encryption process. Although it bears little significance to the unpacking of the\r\ncontents of config.ini itself, the DLL will execute the fundamental ransomware routine if supplied correctly.\r\nopen on a new tab\r\nFigure 3. If the correct passcode is added to the command line, the ransomware will proceed with\r\nthe whole encryption process\r\nOnce the DLL component is loaded by the non-malicious executable, it will immediately look for the config.ini\r\nfile in the current executable’s path. Once this is found, the DLL decrypts config.ini and then executes notepad.exe\r\nwith a certain set of command lines.\r\nFor this particular campaign, we found a few notable and consistent patterns:\r\nThe main ransomware binary is usually delivered as an encrypted config.ini file.\r\nDarkLoader is executed via DLL sideloading using legitimate executables.\r\nThe config.ini file is decrypted by a specially crafted loader designed specifically for these campaigns\r\n(detected as Trojan.Win64.DarkLoader)\r\nBabLock appends a random number from 00 to 99 to the extension string per file within the same infected\r\nmachine (for example, extn00-extn99 as extensions in the same infection).\r\nAny DarkLoader DLL can be used to decrypt any encrypted ransomware config.ini, with no specific binary\r\npairing needed.\r\nThe DarkLoader DLL uses Direct SysCall APIs to a select few, but important, calls to avoid API reading\r\nanalysis.\r\nThe decrypted BabLock ransomware is always packed with VMProtect for anti-virtualization.\r\nhttps://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html\r\nPage 3 of 9\n\nBabLock is loaded via the threat injection of a hooked API Ntdll.RtlTestBit  to jump to memory containing\r\nthe ransomware code.\r\nThere have been a few variations of the passcode for --run across different attacks, but all of them are still\r\nwithin a certain range of each other.\r\nopen on a new tab\r\nFigure 4. The command line argument supplied to notepad.exe to load and execute the ransomware\r\non recent attacks.\r\nopen on a new tab\r\nFigure 5. DLL using several direct SysCall instructions to avoid API reading techniques\r\nopen on a new tab\r\nFigure 6. The notepad.exe file is injected with an API call thread to RtlTestBit, which has been\r\npatched/hooked to jump to the malicious routine\r\nSubtle but sophisticated\r\nhttps://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html\r\nPage 4 of 9\n\nThroughout our initial encounter with BabLock in June 2022, we searched for similar files and found that the\r\nearliest record of these files dated back to March 2022. After discovering this, we wanted to find out how it\r\nmanaged to stay under the radar for so long.                                                               \r\nSince  June 2022, there have only been a handful of recorded incidents involving the ransomware, including the\r\nmost recent one. Due to a low number count, no notable statistics involving region, industry, or victim profile have\r\nstood out as of the time of writing.\r\nopen on a new tab\r\nFigure 7. Distribution of incidents involving the BabLock ransomware\r\nHowever, due to its notable features and characteristics, attacks related to BabLock can be easily identified. As\r\nwe’ve already mentioned, after every file encryption, the ransomware appends a random number string between\r\n00-99 to its hardcoded extension. This results in up to 100 different variations of the same ransomware extension.\r\nopen on a new tab\r\nFigure 8. Code snippet showing a random number string between 00-99 being appended to\r\nencrypted files\r\nIt also has a fairly sophisticated execution routine:\r\nIt uses a specific number code to execute properly.\r\nIt splits the package into multiple components.\r\nIt separates and hides the actual payload into an encrypted file.\r\nhttps://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html\r\nPage 5 of 9\n\nIt uses normal applications as loaders\r\nFinally, BabLock employs publicly available tools as part of its infection chain. We found that the most used tools\r\nwere the following:\r\nChisel - A transmission control protocol (TCP) and user datagram protocol (UDP) tunnel\r\nFscan - A scanning tool\r\nBy using these two tools — combined with BabLock/LockBit possessing the capability to set active directory\r\n(AD) Group Policies for easier propagation — it’s possible for a malicious actor to navigate around a network\r\nwithout much effor\r\nComparing and contrasting BabLock to LockBit and other ransomware\r\nFrom our investigation, most of the routines used by BabLock are more closely related to Lockbit (2.0) than any\r\nother ransomware. Other researchers also mention similarities to ransomware such as Babuk, Yanluowang and\r\nothersnews article.\r\nInitially, we suspected it to be related to the DarkSide ransomware due to ransom note similarities. However,\r\nunlike the DarkSide ransomware, BabLock removes shadow copies by executing the following command lines:\r\nvssadmin.exe delete shadows /All /Quiet\r\nTherefore, we immediately ruled this relationship out since it’s different to the way DarkSide does things, which is\r\ndeleting shadow copies through Windows Management Instrumentation (WMI) and PowerShell (which is\r\ntechnically more sophisticated and difficult to detect through standard monitoring tools).\r\nopen on a new tab\r\nFigure 9. The ransomware binary decrypts and executes the command line to delete shadow copies.\r\nOne of its common characteristics to Lockbit (2.0) would be the use of the same group policy to generate a\r\ndesktop drop path. Similarly, the use of vssadmin for deleting shadow copies is also a routine heavily used in\r\nLockBit attacks (albeit also a common routine for many modern ransomware). Still, the resemblance is uncanny.\r\nhttps://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html\r\nPage 6 of 9\n\nFurthermore, it is running the same commands to execute GPUpdate for the AD. Due to this, our detection for this\r\nransomware is still under the LockBit family.\r\nopen on a new tab\r\nFigure 10. Comparing BabLock’s group policy for generating the desktop drop path (left) with that\r\nof LockBit (right)\r\nFrom what we can tell, BabLock looks like a Frankenstein-like creation that is stitched together from different\r\nknown ransomware families.\r\nopen on a new tab\r\nFigure 11. Similarities between BabLock and other ransomware families\r\nInsights and conclusion\r\nhttps://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html\r\nPage 7 of 9\n\nOur first encounter with BabLock almost coincided with the release of Lockbit v3.0. However, since most of its\r\nstructure still resembles Lockbit v2.0, we surmise that this may be from another affiliate or group. With nearly a\r\nyear since the release of LockBit v3.0, we have found no changes to the payload of the BabLock even with recent\r\nattacks, further solidifying our stance that they are neither connected nor closely affiliated with the actual LockBit\r\ngroup. What we do know is that the threat actor behind BabLock managed to take many of the base capabilities of\r\nLockBit v2.0 and added bits and pieces of different ransomware families to create their own unique variant, which\r\ncould possibly be enhanced further in the future.\r\nRecommendations \r\nOrganizations can implement security frameworks to safeguard their systems from similar attacks, which\r\nsystematically allocate resources to establish a robust defense strategy against ransomware. Below are some\r\nrecommended guidelines that organizations may want to consider:\r\nTaking an inventory of assets and data \r\nIdentifying authorized and unauthorized devices and software \r\nAuditing event and incident logs \r\nManaging hardware and software configurations \r\nGranting admin privileges and access only when necessary to an employee’s role \r\nMonitoring network ports, protocols, and services \r\nEstablishing a software allowlist that only executes legitimate applications \r\nImplementing data protection, backup, and recovery measures \r\nEnabling multifactor authentication (MFA) \r\nDeploying the latest versions of security solutions to all layers of the system, including email, endpoint,\r\nweb, and network \r\nWatching out for early signs of an attack such as the presence of suspicious tools in the system\r\nImplementing a multi-faceted approach can aid organizations in securing potential entry points into their systems\r\nsuch as endpoint, email, web, and network. With the help of security solutions that can identify malevolent\r\nelements and questionable activities, enterprises can be safeguarded from ransomware attacks.\r\nTrend Micro Vision One™products provides multilayered protection and behavior detection, which helps block\r\nquestionable behavior and tools before the ransomware can do any damage. \r\nTrend Micro Cloud One™ – Workload Securityproducts protects systems against both known and unknown\r\nthreats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching\r\nand machine learning.  \r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts employs custom sandboxing and advanced analysis\r\ntechniques to effectively block malicious emails, including phishing emails that can serve as entry points for\r\nransomware.  \r\nTrend Micro Apex One™products offers next-level automated threat detection and response against advanced\r\nconcerns such as fileless threats and ransomware, ensuring the protection of endpoints. \r\nhttps://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html\r\nPage 8 of 9\n\nIndicators of Compromise (IOCs)\r\n The indicators of compromise for this entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html\r\nhttps://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html" ], "report_names": [ "an-analysis-of-the-bablock-ransomware.html" ], "threat_actors": [ { "id": "a7d4fe31-d92f-425a-ba8c-c70219f52fb8", "created_at": "2022-10-25T15:50:23.466009Z", "updated_at": "2026-04-10T02:00:05.250808Z", "deleted_at": null, "main_name": "Frankenstein", "aliases": [ "Frankenstein" ], "source_name": "MITRE:Frankenstein", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "6bad0c51-0d2b-4f04-b355-f88c960db813", "created_at": "2025-08-07T02:03:24.546734Z", "updated_at": "2026-04-10T02:00:03.691101Z", "deleted_at": null, "main_name": "ALUMINUM THORN", "aliases": [ "Frankenstein ", "WIRTE " ], "source_name": "Secureworks:ALUMINUM THORN", "tools": [ "FruityC2", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775433994, "ts_updated_at": 1775791926, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/12dd77439b7143070ca07aaace3957622e87e4bc.pdf", "text": "https://archive.orkl.eu/12dd77439b7143070ca07aaace3957622e87e4bc.txt", "img": "https://archive.orkl.eu/12dd77439b7143070ca07aaace3957622e87e4bc.jpg" } }