A new ransomware named Rook has hit the cybercrime scene, declaring that it will make “big bucks” by infiltrating corporate networks and encrypting devices.
On November 30, 2021, Rook’s first victim was found: according to Rook’s website, Rook’s operatives stole 1123GB of data from a financial institution in Kazakhstan, followed by more More victims have been reported.
SentinelLabs has been studying this new ransomware to determine its technical details, infection path, and overlap with the Babuk ransomware.
Infection process
Rook ransomware payloads are usually delivered via Cobalt Strike, with phishing emails and suspicious torrent downloads being reported as the first infection routes.
The payload incorporates UPX and other encryption techniques to evade detection. When the ransomware executes, it will attempt to terminate processes related to security tools or processes that may interrupt encryption.
Interestingly, there are cases where the kph.sys driver is involved in the termination of a process, but there are also cases where it is not
This may reflect the fact that the attacker needed to leverage this driver to disable a specific This may reflect the fact that the attacker needed to leverage this driver in order to disable a specific local security solution for a specific job
Rook also uses vssadmin.exe to delete the volume shadow copies. This is a standard tactic used in ransomware operations to prevent shadow volumes from being used to restore files.
Analysts have found that Rook encrypts files, adds a “.Rook” extension, and then deletes itself from the infected system.
Based on Babuk
SentinelLabs compared Rook to Babuk, an already defunct RaaS whose full source code was leaked on a Russian-speaking forum in September 2021, and found numerous code similarities.
For example, Rook uses the same API call to get the name and state of each running service, and the same function to terminate them.
Also, the list of processes and Windows services to be stopped is the same for both ransomware.
This includes the gaming platform Steam, the email clients Microsoft Office and Outlook, and Mozilla Firefox and Thunderbird.
Other similarities include how the cryptographic device deletes shadow volume copies, use of the Windows Restart Manager API, and enumeration of local drives.
Because of these code similarities, Sentinel One believes that Rook is based on the leaked source code of the Babuk ransomware.
Is Rook a Serious Threat?
It is still too early to determine how sophisticated Rook’s attack is, but the consequences of an infection can be severe, leading to encrypted or stolen data.
Rook’s information leak site now has two victims: a bank and an Indian aerospace specialist.
Both of these were added this month and are still in the early stages of activity for the group.
Rook could be a major threat in the future if skilled affiliates join the new RaaS.
Comments