A new ransomware strain named Rook has appeared recently on the cyber-crime space, declaring a desperate need to make “a lot of money” by breaching corporate networks and encrypting devices.
Researchers have taken a deep dive into the new strain, revealing its technical details, infection chain, and how it overlaps with the Babuk ransomware.
The Rook ransomware payload is usually delivered via Cobalt Strike, with phishing emails and shady torrent downloads being reported as the initial infection vector. The payloads are packed with UPX or other crypters to help evade detection. When executed, the ransomware attempts to terminate processes related to security tools or anything that could interrupt the encryption.
Its been seen the kph.sys driver from Process Hacker come into play in process termination. Rook also uses vssadmin.exe to delete volume shadow copies, a standard tactic used by ransomware operations to prevent shadow volumes from being used to recover files. Once after the encryption it will append the “.Rook” extension and then delete itself from the compromised system.
A numerous code similarities between Rook and Babuk, a defunct RaaS that had its complete source code leaked on a Russian speaking forum. Rook uses the same API calls to retrieve the name and status of each running service and the same functions to terminate them.
Similarities include the encryptor deletes shadow volume copies, uses the Windows Restart Manager API, and enumerates local drives. Due to these code similarities, it’s believed that Rook is based on the leaked source code for the Babuk Ransomware operation.
Indicators of Compromise
T1027.002 – Obfuscated Files or Information: Software Packing
T1007 – System Service Discovery
T1059 – Command and Scripting Interpreter
TA0010 – Exfiltration
T1082 – System Information Discovery
T1490 – Inhibit System Recovery