Rook Uses Babuk’s Leaked Code in Kazakh Bank Attacks

Researchers say Rook won’t be the last ransomware bunch to feed on Babuk’s code

Soumik Ghosh •
December 27, 2021

Rook uses leaked Babuk code in attacks on Kazakh banks
Snapshot of the Rook ransomware group’s website (Source: Zack Allen’s tweet)

Jim Walter and Niranjan Jayanand, researchers at SentinelLabs, the threat intelligence arm of California-based cybersecurity firm SentinelOne, discovered that a new ransomware group called Rook used leaked source code from the linked Babuk advanced persistent threat group. to Russia to target Kazakhstan-based finance. Institutions.

See also: Frost & Sullivan Executive Summary: Beyond the Cloud

According to a SentinelLabs blog post, the Rook ransomware operators claim to have stolen 1.1 terabytes of data from three financial companies, including Zhilstroysberbank, a Kazakhstan bank that offers home loans at affordable rates, according to the company’s website.

The blog post says that Rook, on its Tor-based website, says: “10GB of (stolen) data will be released now, 200GB will be released in one week, and all data will be released in two weeks.” The group claims to have a large database of vulnerabilities and boasts of its ability to always penetrate the target system. It also says, “We desperately need a lot of money,” according to the publication.

Rook Ransomware Group – Victim Information (Source: SentinelLabs blog)

The bank has not issued a statement on the allegedly stolen data and has not yet responded to Information Security Media Group’s request for confirmation.

Security researchers find independent threat hunters who spoke to ISMG and say they are concerned that the Babuk ransomware code is available on code repositories such as GitHub. Rook, they say, will not be the last ransomware group to feed on Babuk’s code and carry out successful exploits like the recent ones on Kazakh banks.

Rook Ransomware: The Last Spawn of Babuk

The Rook ransomware variant was first discovered by threat researcher Zack Allen. Following the discovery, Allen said in a tweet that many of the YARA rules come from the Babuk APT group.

Threat researcher Stephan Simon, who goes by the name FirehaK on GitHub, analyzed the Babuk code and confirmed that Rook is “definitely using Babuk’s font.” Virus Total’s analysis also says that the code is a generic Babuk ransomware code.

SentinelLabs researchers found that Rook code has the ability to attempt to terminate any process that may interfere with encryption. Rook uses vssadmin.exe, a default Windows process that can be used to delete Shadow Volume Copies of documents. Deleting these snapshots ensures that the destination cannot recover the data from the backups.

Once the Rook malware runs through its execution, it terminates and is erased from the target system.

Babuk source code leak is concerning

SentinelLabs researchers say that with the immediate availability of the leaked Babuk source code, it is “inevitable that the proliferation of new groups of ransomware that we are seeing now will only continue.”

Threat researchers at Indian cybersecurity firm CloudSEK tell ISMG that the Babuk source code leak allows level 2 ransomware groups to use the code available for free on GitHub on its own or as a building block. to carry out targeted attacks not only on Windows systems, but also on VMware. machines that also run on Windows and Linux servers.

“Babuk threat actors only offered initial access before, but then they made 1,000 live VMware instances available along with source code that the ransomware can be deployed with. If a threat actor wants to carry out an attack right now , it’s fully capable of doing it, “says Darshit Ashara, associate vice president for research at CloudSEK.

Koushik Sivaraman, vice president of cyber threat intelligence at CloudSEK, tells ISMG that although large organizations have some type of detection and prevention mechanism for known ransomware, many Tier 2 companies may not have those capabilities or apply enough patches. speed.

Babuk’s source code, while quite capacious, is not bug-free. Fabian Wosar, CTO of ransomware decryption company Emsisoft, says in a blog post that fundamental design flaws in Babuk’s ransomware code, particularly in the encryption and decryption parts, could lead to permanent loss of data.

How Babuk Ransomware evades detection

Sivaraman says that the source code’s cipher-blocking ability is not necessarily a concern, but its resistance to decryption, its persistence, and its ability to evade endpoint solutions and subsequent analysis are of concern.

According to Emsisoft’s Wosar, Babuk uses elliptic curve cryptography for encryption, making it difficult to crack the code.

A rather unique feature of the Babuk ransomware code is that the moment it detects a virtual environment, it is automatically terminated. This, Wosar says, makes it difficult for security teams to circumvent evasion measures.

Rook’s VSS removal is similar to Babuk’s. (Source: SentinelLabs blog)

Ransomware source code leaks are not new. Sivaraman says the trend is at least a decade old.

In August 2021, a member of the “Disgruntled” Conti ransomware group APT allegedly leaked manuals and technical guides used by the threat group to train affiliate members.

According to Sivaraman, ransomware groups download source code or make their attack mechanisms public when they detect signs that federal investigators are closing in.

This results in Level 2 ransomware operators using the original source code to spread independent targeted attacks. Now, instead of the federal government being able to pinpoint the source of a targeted attack and link it to a single threat actor, it has to examine the “noise” created by multiple groups using similar attack mechanisms and avenues, he says.

The noise, Sivaraman says, allows the original threat actors to escape, avoiding heavy penalties and imprisonment.


CloudSEK’s Ashara says that security organizations should patch known vulnerabilities exploited by Babuk threat actors and understand the ways that threat actors can make their way into organizations.

Businesses should remember that the Babuk ransomware code has no known freely obtainable decryptors, it says.

SentinelLabs researchers advise organizations to use well-documented data recovery and business continuity plans, as leaked source code and recent vulnerabilities like Log4j2 can allow initial access “without great technical skill.”


Leave a Comment