Rook ransomware is yet another generation of the leaked Babuk code

A new ransomware operation named Rook has emerged in the cybercrime space recently, declaring a desperate need to make “big bucks” by breaking down corporate networks and encrypting devices.

While the introductory statements on their data breach portal were slightly amusing, the first victim announcements on the site made it clear that Rook was not playing games.

About Us section of the Rook Leak Portal
About Us section of the Rook Leak Portal

SentinelLabs researchers took a look at the new strain, revealing its technical details, chain of infection, and overlap with Babuk ransomware.

Infection process

Rook ransomware payload is typically delivered via Cobalt Strike, with phishing emails and shady torrent downloads being reported as the initial infection vector.

Payloads are packaged with UPX or other encryptors to help evade detection. When executed, the ransomware attempts to terminate processes related to security tools or anything that could break the encryption.

Completed services
Completed services
Source: SentinelLabs

“Interestingly, we see the kph.sys Process Hacker driver come into play in shutting down the process in some cases but not in others, ”says SentinelLabs in his report.

“This probably reflects the attacker’s need to exploit the pilot to disable certain local security solutions on specific engagements.”

Volume Shadow Copy Erase Process
Volume Shadow Copy Erase Process
Source: SentinelLabs

Rook also uses vssadmin.exe to remove shadow volume copies, a standard tactic used by ransomware operations to prevent shadow volumes from being used to recover files.

Analysts could not find any persistence mechanism, so Rook will encrypt files, add the “.Tower“then remove themselves from the compromised system.

Files encrypted by Rook
Files encrypted by Rook
Source: SentinelLabs

Based on Babouk

SentinelLabs found many code similarities between Rook and Babuk, a former RaaS whose full source code was leaked on a Russian-speaking forum in September 2021.

For example, Rook uses the same API calls to retrieve the name and state of each running service and the same functions to terminate them.

Additionally, the list of shutdown Windows processes and services is the same for both ransomware.

This includes the Steam gaming platform, the Microsoft Office and Outlook email client, and Mozilla Firefox and Thunderbird.

Other similarities include how the Encryptor deletes volume shadow copies, uses the Windows Restart Manager API, and enumerates local drives.

List of local drives in alphabetical order
List of local drives in alphabetical order
Source: SentinelLabs

Due to these code similarities, Sentinel One believes Rook is based on the leaked source code for Operation Babuk Ransomware.

Is Rook a serious threat?

While it is too early to tell how sophisticated Rook’s attacks are, the consequences of an infection are always severe, leading to encrypted and stolen data.

Rook’s data breach site currently contains two victims, a bank and an Indian aviation and aerospace specialist.

Both have been added this month, so we’re at an early stage in the group’s business.

If qualified Affiliates join the new RaaS, Rook could become a significant threat in the future.


Source link

Comments are closed.