Rook: New Ransomware in the market scavenges code from Babuk

Threat Advisories

Rook: New Ransomware in the market scavenges code from Babuk


For a detailed advisory, download the pdf file here.

Security researchers found new ransomware dubbed as Rook that reuses the code from Babuk which was released earlier. It was initially seen on VirusTotal on November 26th and pwned its first victim, a Kazkh financial organization from whom Rook stole 1128GB of data on November 30th.

Rook ransomware invades a victim’s system through a third-party framework, such as Cobalt Strike, or through a phishing email. Individual samples are typically UPX-packed, but other packers/crypters, such as VMProtect, have been also observed. When executed, it attempts to terminate processes associated with security tools or anything else that could interfere with encryption. Because no persistence mechanisms have been discovered, Rook will encrypt the files, append the “.Rook” extension, and then delete itself from the compromised system. 

Rook has been linked to Babuk due to the following reasons: •The same API calls are used to retrieve the name and status of each running service, as well as the same functions are used to terminate them. •The list of stopped processes and Windows services is the same for both ransomwares. •Both checks to see if the sample is operating on 64-bit OS before deleting the disk shadow from the victim’s machine. •Both uses Windows Restart Manager API to assist with process termination, including processes associated with Microsoft Office programs and the popular gaming platform Steam •Uses similar code for enumeration of local drives.

Organizations should educate employees about phishing to avoid getting targeted by ransomwares such as Rook, Babuk etc.

The TTPs used by Rook include:

TA0001 – Initial Access

T1566 – Phishing

TA0002 – Execution

T1059 – Command and Scripting Interpreter

TA0005 – Defense Evasion

T1027 – Obfuscated Files or Information

T1027.002 – Obfuscated Files or Information: Software Packing

T1562 – Impair Defenses

TA0007 – Discovery

T1007 – System Service Discovery

T1082 – System Information Discovery

TA0011 – Command and Control

T1090 – Proxy

TA0010 – Exfiltration

TA0040 – Impact T1490 – Inhibit System Recovery

Indicators of Compromise(IoCs)