Rook, a new ransomware operation that has recently surfaced on the cyber-crime scene, has declared a desperate necessity to make “a lot of money” by breaking into corporate networks and encrypting devices. Although the opening words on their data leak portal were mildly amusing, the site’s initial victim notifications made it apparent that Rook is not playing games. SentinelLabs researchers have dug deep into the new strain, disclosing technical facts, the infection chain, and how it differs from the Babuk ransomware.
Cobalt Strike is generally used to deliver the Rook ransomware payload, with phishing emails and dodgy torrent downloads being the most common infection vectors. To help avoid detection, the payloads contain UPX or other crypters. When the ransomware is run, it tries to stop any processes connected to security programs or anything else that can disrupt the encryption.
“Interestingly, we see the kph.sys driver from Process Hacker come into play in process termination in some cases but not others,” SentinelLabs says in its report. “This likely reflects the attacker’s need to leverage the driver to disable certain local security solutions on specific engagements.”
Rook also deletes volume shadow copies with vssadmin.exe, a classic ransomware method to prevent shadow volumes from being employed to recover files. According to analysts, Rook will encrypt the files, attach the “.Rook” suffix, and then erase itself from the infiltrated system.
SentinelLabs discovered significant code similarities between Rook and Babuk, a defunct RaaS whose source code was leaked in September 2021 on a Russian-language forum. Rook, for example, employs the same API calls to get the name and status of each active service, as well as the same methods to stop them.
Also, for both ransomware, the list of processes and Windows services that are terminated is the same. The Steam game platform, Microsoft Office and Outlook email clients, as well as Mozilla Firefox and Thunderbird, are all included.
Other commonalities include the encryptor deleting shadow volume copies, employing the Windows Restart Manager API, and enumerating local disks. Sentinel One thinks Rook is based on the Babuk Ransomware operation’s released source code because of these coding similarities.
