Rook ransomware is yet another generation of the leaked Babuk code
A new ransomware operation named Rook has emerged in the cybercrime space recently, declaring a desperate need to make “big bucks” by breaking down corporate networks and encrypting devices.
While the introductory statements on their data breach portal were slightly amusing, the first victim announcements on the site made it clear that Rook was not playing games.
SentinelLabs researchers took a look at the new strain, revealing its technical details, chain of infection, and overlap with Babuk ransomware.
Rook ransomware payload is typically delivered via Cobalt Strike, with phishing emails and shady torrent downloads being reported as the initial infection vector.
Payloads are packaged with UPX or other encryptors to help evade detection. When executed, the ransomware attempts to terminate processes related to security tools or anything that could break the encryption.
“Interestingly, we see the
kph.sys Process Hacker driver come into play in shutting down the process in some cases but not in others, ”says SentinelLabs in his report.
“This probably reflects the attacker’s need to exploit the pilot to disable certain local security solutions on specific engagements.”
Rook also uses vssadmin.exe to remove shadow volume copies, a standard tactic used by ransomware operations to prevent shadow volumes from being used to recover files.
Analysts could not find any persistence mechanism, so Rook will encrypt files, add the “.Tower“then remove themselves from the compromised system.
Based on Babouk
SentinelLabs found many code similarities between Rook and Babuk, a former RaaS whose full source code was leaked on a Russian-speaking forum in September 2021.
For example, Rook uses the same API calls to retrieve the name and state of each running service and the same functions to terminate them.
Additionally, the list of shutdown Windows processes and services is the same for both ransomware.
This includes the Steam gaming platform, the Microsoft Office and Outlook email client, and Mozilla Firefox and Thunderbird.
Other similarities include how the Encryptor deletes volume shadow copies, uses the Windows Restart Manager API, and enumerates local drives.
Due to these code similarities, Sentinel One believes Rook is based on the leaked source code for Operation Babuk Ransomware.
Is Rook a serious threat?
While it is too early to tell how sophisticated Rook’s attacks are, the consequences of an infection are always severe, leading to encrypted and stolen data.
Rook’s data breach site currently contains two victims, a bank and an Indian aviation and aerospace specialist.
Both have been added this month, so we’re at an early stage in the group’s business.
If qualified Affiliates join the new RaaS, Rook could become a significant threat in the future.