{ "id": "3220d6da-49dd-4faf-9045-3f79606890b9", "created_at": "2026-04-06T00:12:48.592098Z", "updated_at": "2026-04-10T03:32:06.127502Z", "deleted_at": null, "sha1_hash": "e1b0062610f7445fce445986e51038568a29f515", "title": "Rorschach Ransomware Analysis with Attack Flow", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 573382, "plain_text": "Rorschach Ransomware Analysis with Attack Flow\r\nBy SIMKRA\r\nPublished: 2023-04-19 · Archived: 2026-04-05 19:00:51 UTC\r\nHow the online attack flow builder can be used for reverse engineering and\r\nforensics.\r\nCurious about the new ransomware, which officially caused a sensation in the community for the first time last\r\nweek under the name Rorschach, I wanted to know how the online attack flow builder can be used to design the\r\nattack flow from a reverse engineering and forensics point of view. Would it be possible? And what should I say?\r\nI’m not sure if everything is 100% implemented, but it helped me as an analyst to understand the Ransomware.\r\nSo I tried the experiment to graphically display the analysis in Attack Flow another great tool developed by the\r\nCenter for Threat Informed Defense.\r\nAttack Flow is an open source tool to graphically display and understand attacks in their sequence.\r\nPress enter or click to view image in full size\r\nAttack Flow website MITRE Engenuity: it helps defenders and leaders understand how adversaries\r\noperate and compose atomic techniques into attacks to better understand defensive posture.\r\nAttack Flow Builder is a free and open source tool for creating, viewing, and editing Attack Flows. This\r\nweb-based tool provides a workspace where you can populate information about adversary actions and\r\nadditional context, then weave those items into a flow by drawing arrows to indicate the sequences of\r\nadversary techniques observed during an incident or campaign.\r\nhttps://medium.com/@simone.kraus/rorschach-ransomware-analysis-with-attack-flow-7fa5ff613a75\r\nPage 1 of 6\n\nThose who have previously had contact with event-oriented process chains or object-oriented programming will\r\nalso become familiar with Attack Flow relatively quickly.\r\nWhile there is an online version that you can use right away, you can also download the tool from github and\r\ninstall it on your virtual machine.\r\nAfter I had first modeled the ransomware group Play as an attack flow, I now wanted to know how Rorschach —\r\nalso known as BabLock — works and which MITER ATT\u0026CK techniques are behind it. While at Play, for\r\nexample, the CTI reports also describe the tools used by the ransomware group and you can then go deeper into\r\ndetection engineering and threat hunting with the help of threat intelligence platforms such as Tidal, there are still\r\nrelatively few information in the web about from BabLock.\r\nPress enter or click to view image in full size\r\nCortex XDR Dump Service Tool with cydump.exe can be used to load untrusted dynamic link\r\nlibraries (DLLs)\r\nLuckily today Trendmicro released an analysis about the ransomware. Perfect timing!\r\nAlthough the ransomware was detected as a variant of LockBit, it cannot be clearly assigned to the LockBit group.\r\nTrendmicro refers to it as a “Frankenstein-like creation” of different ransomware solutions, however, Rorschach is\r\nthe fastest variant of encryption ever seen and the automation also seems to be more advanced.\r\nWhile I initially assumed an analysis similar to that of Play, it quickly became clear that using Attack Flow can\r\nalso be used as a kind of assessment for threat actors, malware and where the attacks happened (location).\r\nPress enter or click to view image in full size\r\nShort Assessment of the threat actor, the ransomware and where the unkown threat actor operates\r\nhttps://medium.com/@simone.kraus/rorschach-ransomware-analysis-with-attack-flow-7fa5ff613a75\r\nPage 2 of 6\n\nThe more I dived deeper into the ransomware itself, the more I realized that Attack Flow is an excellent reverse\r\nengineering and forensic tool. If you really want to understand the attacks in terms of the components of the\r\nartifacts a specific attack has, the representation of processes and procedures within it, attack flow can help you to\r\nunderstand the necessary technical understanding you’ve missed before. The analyst is more forced to understand\r\nthe technical processes and more important: to understand them in the right order.\r\nCommand lines can be displayed just like files or software, as well as tools that can be pictured and sketched\r\nseparately. The longer I spent time with Attack Flow, the more enthusiastic I am about it.\r\nPress enter or click to view image in full size\r\nCommand lines, files, processes and action can be added to have the whole overview of the\r\nprocedures adversary use\r\nI worked through the Trendmicro report step by step and realized that if I had only read the CTI report, half of the\r\ninformation would have been skimmed, but the technical depth for the ransomware itself only emerged during the\r\nmodelling itself.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@simone.kraus/rorschach-ransomware-analysis-with-attack-flow-7fa5ff613a75\r\nPage 3 of 6\n\nUsing attack flow helps you understand the how the ransomware is deployed without having\r\nreversed engineered it on your own\r\nConclusion: I recommend every organization to familiarize themselves with such modelling tools and to study\r\nattacks graphically shown in a flow chart. Creating an attack flow not only helps to understand the correct course\r\nof the attack, but also to understand the technical depth that is necessary in order to then be able to write detection\r\nor make statements about which MITRE ATT\u0026CK techniques are particularly relevant in order to achieve the\r\nfastest possible so called “choke point”. It means to find an early MITRE ATT\u0026CK technique in the kill chain\r\nwhere the attacker can’t get any further.\r\nGet SIMKRA’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nFor those who write forensic reports it can then be used as existing attack flows to verify own analysis hypotheses\r\nand have a basis for own documentation of the incidents. Even artifacts and IOCs can be mapped.\r\nBasically, Attack Flow is a simple to use tool that is accessible to everyone, with which playbooks or threat\r\nhunting solutions can also be created.\r\nCTI analysts can use Attack Flow to create highly detailed, behavior-based threat intelligence products.\r\nThe langauge is machine-readable to provide for interoperability across organizations and commercial\r\ntools. Users can track adversary behavior at the incident level, campaign level, or threat actor level.\r\nInstead of focusing on indicators of compromise (IOCs), which are notoriously inexpensive for the\r\nadversary to change, Attack Flow is centered on adversary behavior, which is much more costly to\r\nchange.\r\nAttackIQ’s Breach and Attack Simulation tool goes one step further. It integrates the attack flows into the BAS\r\nsolution and you can then emulate the attack modify steps and define different or several choke points as\r\nappropriate mitigations are implemented and tests are repeated iteratively, structured, rigid and measurable,\r\nrapidly. They’ve got a blog for the community where you can get the latest attack flows that AttackIQ has\r\ndeveloped.\r\nhttps://medium.com/@simone.kraus/rorschach-ransomware-analysis-with-attack-flow-7fa5ff613a75\r\nPage 4 of 6\n\nWhat’s next? It would be interesting how to use such reverse engineering attack flows to develop further\r\ncountermeasures or detections. D3FEND and other threat informed tools could provide to understand the adequate\r\nmitigation an organization need.\r\nPress enter or click to view image in full size\r\nFile Removal of known malicious artifacts could be an adequat countermeasure\r\nDefensive Posture\r\nThe blue team can use Attack Flow to assess and improve their defensive posture, as well as provide\r\nleadership with a data-driven case for resource allocation. Attack Flow allows for a realistic risk\r\nassessment based on observed adversary sequences of attack, allowing defenders to play out\r\nhypothetical scenarios (e.g. table top exercises) with high fidelity. Defenders can reason about security\r\ncontrols over chains of TTPs to determine gaps in coverage, as well as choke points where defenses\r\nshould be prioritized.\r\nExecutive Communications\r\nFront-line cyber professionals can use Attack Flow to roll up highly complicated, technical details of an\r\nincident into a visual depiction that aids communication with non-technical stakeholders, management,\r\nand executives. This format Attack Flow allows defenders to present their analysis of an attack and their\r\ndefensive posture strategically while de-emphasizing raw data, technical jargon, and other information\r\nthat executives do not need to make a business decision. Defenders can use flows to communicate the\r\nimpact of an attack in business terms (i.e. money) and make a convincing case for new tools, personnel,\r\nor security controls to prioritize.\r\nLessons Learned\r\nIncident responders can use Attack Flow to improve their incident response (IR) planning and after-action review. After a security incident has occurred, responders can create flows to understand how\r\ntheir defenses failed and where they can apply controls to reduce future risk and enhance threat\r\ncontainment. Mapping a flow will also allow defenders to see where their defenses succeeded and what\r\nhttps://medium.com/@simone.kraus/rorschach-ransomware-analysis-with-attack-flow-7fa5ff613a75\r\nPage 5 of 6\n\nthey should continue to do going forward. Creating attack flows is an easy way to ensure the incident is\r\ndocumented and organizational knowledge is retained for future use. Over time, this will improve\r\ndefenders’ ability to mitigate and recover from incidents more efficiently.\r\nAdversary Emulation\r\nThe red team can use Attack Flow to create adversary emulation plans that focus their security testing\r\non realistic sequences of TTPs informed by public as well as proprietary intelligence. The red team can\r\nleverage a corpus of attack flow to identify common attack paths and TTP sequences. In purple team\r\nscenarios, a flow is a very precise way to communicate between attackers and defenders.\r\nThreat Hunting\r\nThreat hunters can use Attack Flow to identify common sequences of TTPs observed in the wild, then\r\nhunt for those same TTP chains in their own environment. These flows can guide investigative\r\nsearches, piecing together techniques and timestamps to construct detailed timelines. Attack Flow can\r\nshowcase the adversary tools and TTPs that are being used, which can help aid in writing detections\r\nagainst common behaviors and/or adversary toolsets, as well as prioritizing those detections.\r\nAn introduction to the Attack Flow project you can find here.\r\nSource: https://medium.com/@simone.kraus/rorschach-ransomware-analysis-with-attack-flow-7fa5ff613a75\r\nhttps://medium.com/@simone.kraus/rorschach-ransomware-analysis-with-attack-flow-7fa5ff613a75\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/@simone.kraus/rorschach-ransomware-analysis-with-attack-flow-7fa5ff613a75" ], "report_names": [ "rorschach-ransomware-analysis-with-attack-flow-7fa5ff613a75" ], "threat_actors": [ { "id": "a7d4fe31-d92f-425a-ba8c-c70219f52fb8", "created_at": "2022-10-25T15:50:23.466009Z", "updated_at": "2026-04-10T02:00:05.250808Z", "deleted_at": null, "main_name": "Frankenstein", "aliases": [ "Frankenstein" ], "source_name": "MITRE:Frankenstein", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "6bad0c51-0d2b-4f04-b355-f88c960db813", "created_at": "2025-08-07T02:03:24.546734Z", "updated_at": "2026-04-10T02:00:03.691101Z", "deleted_at": null, "main_name": "ALUMINUM THORN", "aliases": [ "Frankenstein ", "WIRTE " ], "source_name": "Secureworks:ALUMINUM THORN", "tools": [ "FruityC2", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434368, "ts_updated_at": 1775791926, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e1b0062610f7445fce445986e51038568a29f515.pdf", "text": "https://archive.orkl.eu/e1b0062610f7445fce445986e51038568a29f515.txt", "img": "https://archive.orkl.eu/e1b0062610f7445fce445986e51038568a29f515.jpg" } }