New Rook Ransomware borrows code from Babuk
Recently launched ransomware operation, named Rook, made headlines for its announcement claiming a desperate need a lot of money.
A new ransomware operation named Rook appeared in the threat landscape, it was first reported by researcher Zach Allen and caught the attention of the experts for its blatant announcement that claims a desperate need to make “a lot of money” by breaching corporate networks.
New ransomware variant, “Rook Ransomware”, found on VT practicing searches/hunting on my day off. Lots of Yara rules on it being Babuk -> expect lots of this after source code is leaked. “We desperately need a lot of money” 🤦thx @malwrhunterteam for a catch on earlier tweet🙈 pic.twitter.com/wEBNdvDlBk
— Zack Allen (@teachemtechy) November 26, 2021
On November 30th, Rook ransomware gang published the name of the first victim, a Kazkh financial institution, on its leak site.
Researchers at SentinelLabs analyzed the malware and noticed significant overlaps with the Babuk ransomware.
The attack chain starts with phishing messages, experts also reported attacks leveraging third-party framework, such as Cobalt Strike, to drop the malware.
The malware is packed with UPX although researchers also observed the use of crypters to avoid detection.
Upon execution, the Rook ransomware attempts to terminate processes related to security software or other application that could interfere with the encryption process. Like other ransomware families, Rook will also attempt to delete volume shadow copies to prevent victims from restoring from backup without paying the ransom.
“The ransomware attempts to terminate any process that may interfere with encryption. Interestingly, we see the kph.sys driver from Process Hacker come into play in process termination in some cases but not others. This likely reflects the attacker’s need to leverage the driver to disable certain local security solutions on specific engagements.” reads the post published by the analysis published by SentinelLabs.
Early variants of Rook ransomware appends a .TOWER extension, while all current variants use the .ROOK extension.
The samples analyzed by the researchers don’t implement any persistence mechanisms. Experts noticed numerous code similarities between Rook and Babuk, which had its its source code leaked on a hacking forum in September 2021.
“Babuk and Rook use EnumDependentServicesA API to retrieve the name and status of each service that depends on the specified service before terminating. They enumerate all services in the system and stop all of those which exist in a hardcoded list in the malware. Using OpenSCManagerA API, the code gets the Service Control Manager, gets the handle and then enumerates all services in the system.” continues the analysis. “In addition, both Rook and Babuk use the functions CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, OpenProcess, and TerminateProcess to enumerate running processes and kill any found to match those in a hardcoded list.”
Researchers also noted an overlap with regards to some of the environmental checks implemented by the ransomware to avoid being analyzed.
Researchers also published Indicators of Compromise (IoCs) for the new threat.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine