Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

Bablock

BabLock (also referred to as Rorschach) is a ransomware family first seen in 2023. Reporting around the February 2026 cyber incident impacting Sapienza University of Rome links the disruption to BabLock/Rorschach based on observed malware traits and operational patterns, with victim data reported as encrypted. The ransomware is described as “next-generation” and is noted for rapid encryption. Public reporting attributes the Sapienza incident to a purported pro-Russian threat actor tracked as Femwar02 using BabLock/Rorschach-like malware; the reporting also claims the extortion malware typically avoids encrypting devices configured for Russian or other post-Soviet languages. Multiple reports state the attackers provided a ransom-demand link with an alleged 72-hour countdown that would begin only after the link is clicked, and that the victim did not engage/open it, leaving the ransom amount unknown. Code lineage assessments cited in reporting indicate BabLock/Rorschach borrows components from leaked Babuk source code as well as LockBit v2.0 and DarkSide. One report states Rorschach does not operate a dedicated dark-web extortion portal. No specific technical IOCs (hashes, domains, IPs) are provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Femwar02

Public reports confirm that the University suffered a ransomware attack that disrupted its operations... “What appears certain is the use of a next-generation ransomware strain known as ‘Bablock,’ ... The media report links the security breach to Bablock/Rorschach ransomware based on malware traits and tactics. First seen in 2023, this malware family borrows code from leaked Babuk, LockBit v2.0, and DarkSide code.

via security affairssecurityaffairs.com
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Stealth

1 technique
T1497.001System ChecksEvidence1

...create Linux encryptors targeting VMware ESXi servers.

Discovery

1 technique
T1497.001System ChecksEvidence1

...create Linux encryptors targeting VMware ESXi servers.

Impact

2 techniques
T1486Data Encrypted for ImpactEvidence4

These groups focus on ESXi before other Linux variants, leveraging built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files.

T1490Inhibit System RecoveryEvidence1

"As the investigation continues, university technicians are working to determine the scope of the security breach before restoring data from backups. It’s also unclear whether the backups contain all data or if some remains inaccessible after ransomware encryption."

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha1●●●●●●●●●●●●View more in app1 year ago
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
security affairsNews
Feb 7, 2026
Italian university La Sapienza still offline to mitigate recent cyber attack

Next-generation ransomware used for extortion; reported to disrupt operations and encrypt data. The reporting notes it typically avoids encrypting systems configured for Russian or other post-Soviet languages and is assessed to borrow code from Babuk, LockBit v2.0, and DarkSide.

Read more
scworldNews
Feb 6, 2026
La Sapienza University reportedly hit by ransomware attack, operations disrupted | SC Media

Ransomware strain (appeared in 2023) noted for rapid file encryption.

Read more
techcrunch com securityNews
Feb 5, 2026
One of Europe's largest universities knocked offline for days after cyberattack | TechCrunch

Ransomware family reportedly used in the La Sapienza University incident; associated with ransom demands and service disruption consistent with file-encrypting/extortion activity.

Read more
bleeping computerNews
Feb 5, 2026
Italian university La Sapienza goes offline after cyberattack

Ransomware strain first reported in 2023, noted for very fast encryption speeds and extensive customization options; assessed by Check Point as built using components from leaked Babuk, LockBit v2.0, and DarkSide source code.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.