A new ransomware, named Rook, has been discovered targeting corporate networks and encrypting devices. Experts have noticed overlaps in the code of Rook and Babuk ransomware.

What has happened?

In November, the Rook ransomware was spotted on VirusTotal and drew attention for the way operators behind it introduced themselves.
  • Rook ransomware payloads are being propagated via phishing emails and fake torrent downloads, 
  • It leverages third-party tools, including CobaltStrike, and the payloads are packed using UPX or other crypters to avoid detection.
  • At present, the data leak site shows two victims, a bank and an Indian aviation and aerospace specialist.

How does it function?

  • Whenever the ransomware is executed, it tries to end processes that could block the encryption process, using the kph[.]sys driver from Process Hacker, or other tools.
  • Hackers use kph[.]sys driver to disable some specific local security solutions on particular events. It encrypts files, adds the ‘.Rook’ extension, and deletes itself.
  • The ransomware makes use of vssadmin[.]exe to delete volume shadow copies, a basic tactic used by ransomware groups to stop shadow volumes from being used to restore encrypted files.

A connection to Babuk

Researchers from SentinelLabs discovered multiple code similarities with Babuk ransomware, the RaaS that had its full source code leaked on a Russian-speaking forum in the month of June.
  • Rook uses similar API calls to obtain the name/status of the running services and the functions to end them. 
  • Moreover, both ransomware has the same list of processes and Windows services that are being stopped.
  • Other similarities include the way in which the encryptor deletes shadow volumes, enumeration of local drives, and use of Windows Restart Manager API. 
  • Therefore, researchers suspect that Rook may be based on the Babuk.

Conclusion

Going by the popular opinion of experts, Rook is based on the leaked source code of the Babuk ransomware. It shows signs of becoming a serious threat in the future. Thus, organizations should always be ready with reliable cyber defenses and backups.

Cyware Publisher

Publisher

Cyware