Rook ransomware is yet another spawn of the leaked Babuk code

tower

A new ransomware operation called Rook has recently appeared in the cybercrime space, declaring a desperate need to make “big bucks” by breaching corporate networks and encrypting devices.

Although the introductory statements on his data breach portal were a bit amusing, the first victim announcements on the site made it clear that Rook is not playing games.

About Us Section on the Rook Leaks Portal
About Us Section on the Rook Leaks Portal

SentinelLabs researchers have delved into the new strain, revealing its technical details, infection chain, and how it overlaps with the Babuk ransomware.

Infection process

The Rook ransomware payload is typically delivered via Cobalt Strike, and suspicious phishing emails and torrent downloads are reported as the initial infection vector.

The payloads are packed with UPX or other crypters to help evade detection. When run, the ransomware tries to kill processes related to security tools or anything that might disrupt encryption.

Completed services
Completed services
Source: SentinelLabs

“Interestingly, we see the kph.sys The Process Hacker controller comes into play in terminating the process in some cases, but not others, “SentinelLabs explains in their report.

“This likely reflects the attacker’s need to leverage the driver to disable certain local security solutions on specific compromises.”

Volume Shadow Copy Cleanup Process
Volume Shadow Copy Cleanup Process
Source: SentinelLabs

Rook also uses vssadmin.exe to delete Shadow Volume Copies, a standard tactic used by ransomware operations to prevent shadow volumes from being used to recover files.

Analysts haven’t found any persistence mechanisms, so Rook will encrypt the files, adding the “.Tower“extension and then deleting itself from the compromised system.

Files Encrypted by Rook
Files Encrypted by Rook
Source: SentinelLabs

Based on Babuk

SentinelLabs has found numerous code similarities between Rook and Babuk, a missing RaaS whose full source code was leaked on a Russian-speaking forum in September 2021.

For example, Rook uses the same API calls to retrieve the name and status of each running service and the same functions to terminate them.

Also, the list of Windows processes and services that are stopped is the same for both ransomware.

This includes the Steam gaming platform, the Microsoft Office and Outlook email client, and Mozilla Firefox and Thunderbird.

Other similarities include how the encryptor deletes Shadow Volume Copies, uses the Windows Restart Manager API, and enumerates local drives.

List local units alphabetically
List local units alphabetically
Source: SentinelLabs

Due to these code similarities, Sentinel One believes that Rook relies on the leaked source code for the Babuk Ransomware operation.

Is Rook a serious threat?

While it is too early to know how sophisticated Rook’s attacks are, the consequences of an infection are still dire, leading to encrypted and stolen data.

Rook’s data breach site currently contains two victims, a bank and an Indian aviation and aerospace specialist.

Both were added this month so we are at an early stage of group activities.

If trained affiliates join the new RaaS, Rook could become a significant threat down the road.

Leave a Comment