Skip to main content

Home BabLock


Also known as: Rorschach

Category: Malware

Type: Ransomware

Platform: Windows, Linux

Variants: Ransom.Win64.LOCKBIT.THGOGBB.enc

Damage potential: Malware infection, file encryption, file corruption and loss, system performance issues, network connectivity problems, and financial loss.


BabLock (or Rorschach) is a sophisticated, customizable ransomware that encrypts a victim’s computer files faster than other ransomware types. The attackers then demand the victim to pay ransom for the files to be released, typically by displaying a note with instructions on the victim’s computer. BabLock mainly targets small to medium-sized businesses and industrial companies. Once the malware infects a domain controller with admin privileges, it may spread across the local area network.

Possible symptoms

The main symptom of a BabLock infection is file encryption. You may notice that you can no longer open the files you normally use on your computer. Other symptoms of BabLock may include:

  • Modified file names (e.g., "1.jpg" may become "1.jpg.slpqne.37").
  • A ransom note named "_r_e_a_d_m_e.txt."
  • Desktop wallpaper change (e.g., displaying a message).
  • Sluggish computer performance.
  • Increased CPU and disk activity.
  • Antivirus scanner alerts you about an infection.

Sources of the infection

BabLock may spread in several ways, from social engineering attacks to system vulnerabilities. Let’s look at how BabLock may infect organization networks.

  • Security vulnerabilities. Attackers may spread BabLock by targeting unpatched vulnerabilities in the system or network (e.g., operating systems or web applications).
  • Phishing emails. BabLock may also spread through phishing or spear phishing attacks that target company employees.
  • Malvertising. BabLock may spread through malicious online advertisements. Malvertising may appear on legitimate websites alongside safe ads, making it difficult to spot.
  • Software downloads. Downloading and installing software from an unsafe or unofficial source may lead to a BabLock infection.
  • Drive-by downloads. Users may unknowingly download BabLock by visiting an unsafe website.


Ransomware attacks can cause severe damage, so taking the necessary steps to prevent them is important. Here’s how to protect your devices from BabLock:

  • Regularly update your software. BabLock often targets unpatched system and network vulnerabilities, so make sure you don’t delay security patches and updates.
  • Beware of phishing emails. If you get an email that sounds unusually urgent or a little off, don’t open any attachments or click on links.
  • Browse with caution. Cybercriminals may spread BabLock via fake websites. Be careful before visiting a website, and always double-check the URL for misspelled words or anything else suspicious.
  • Provide cybersecurity training. Employee training is crucial in preventing ransomware attacks in businesses — people need to know how to recognize and report any potential threats.
  • Use NordVPN. A VPN boosts your overall online security. However, NordVPN also offers Threat Protection Pro — an advanced cybersecurity feature that blocks malicious sites, web trackers, and annoying ads. Plus, it checks files for malware during download.


Because BabLock is a stealthy and sophisticated type of ransomware, removing it can be challenging. It is best to use a reputable antivirus, though not all antiviruses may detect BabLock on your system. You may also need to use a trusted ransomware decryption tool to access your data without paying the ransom.