Connect with us

Hi, what are you looking for?

Technology

Rook ransomware is yet another spawn of the leaked Babuk code


rook

A new ransomware operation named Rook has appeared recently on the cyber-crime space, declaring a desperate need to make “a lot of money” by breaching corporate networks and encrypting devices.

Although the introductory statements on their data leak portal were marginally funny, the first victim announcements on the site have made it clear that Rook is not playing games.

About Us section on Rook's leak portal
About Us section on Rook’s leak portal

Researchers at SentinelLabs have taken a deep dive into the new strain, revealing its technical details, infection chain, and how it overlaps with the Babuk ransomware.

Infection process

The Rook ransomware payload is usually delivered via Cobalt Strike, with phishing emails and shady torrent downloads being reported as the initial infection vector.

The payloads are packed with UPX or other crypters to help evade detection. When executed, the ransomware attempts to terminate processes related to security tools or anything that could interrupt the encryption.

Terminated services
Terminated services
Source: SentinelLabs

“Interestingly, we see the kph.sys driver from Process Hacker come into play in process termination in some cases but not others,” SentinelLabs explains in its report.

“This likely reflects the attacker’s need to leverage the driver to disable certain local security solutions on specific engagements.”

Volume shadow copy wiping process
Volume shadow copy wiping process
Source: SentinelLabs

Rook also uses vssadmin.exe to delete volume shadow copies, a standard tactic used by ransomware operations to prevent shadow volumes from being used to recover files.

Analysts have found no persistence mechanisms, so Rook will encrypt the files, append the “.Rook” extension and then delete itself from the compromised system.

Files encrypted by Rook
Files encrypted by Rook
Source: SentinelLabs

Based on Babuk

SentinelLabs has found numerous code similarities between Rook and Babuk, a defunct RaaS that had its complete source code leaked on a Russian-speaking forum in September 2021.

For example, Rook uses the same API calls to retrieve the name and status of each running service and the same functions to terminate them.

Advertisement. Scroll to continue reading.

Also, the list of processes and Windows services that are stopped are the same for both ransomware.

This includes the Steam gaming platform, the Microsoft Office and Outlook email client, and Mozilla Firefox and Thunderbird.

Other similarities include how the encryptor deletes shadow volume copies, uses the Windows Restart Manager API, and enumerates local drives.

Enumerating local drives alphabetically
Enumerating local drives alphabetically
Source: SentinelLabs

Due to these code similarities, Sentinel One believes that Rook is based on the leaked source code for the Babuk Ransomware operation.

Is Rook a serious threat?

While it is too soon to tell how sophisticated Rook’s attacks are, the consequences of an infection are still severe, leading to encrypted and stolen data.

The Rook data leak site currently contains two victims, a bank and an Indian aviation and aerospace specialist.

Both were added this month, so we are at an early stage in the group’s activities.

If skilled affiliates join the new RaaS, Rook could become a significant threat in the future.



Source link

Advertisement. Scroll to continue reading.
Click to comment

Leave a Reply

Advertisement

Latest

Technology

Why it matters: Google is warning that a 2020 ruling by the High Court of Australia could have a “devastating” impact on the entire...

Online Business Success

Todd Khozein is the Founder and Co-CEO of impact and innovation company SecondMuse. getty The challenge of climate change, like other large, complex, life-altering...

Online Business Success

By Nick Heethuis, founder of TripleShot Marketing, an Amazon marketing agency helping brands launch and grow on Amazon. getty Since the technology to purchase...

Top Stories

The Bank of Korea has successfully completed the first phase of its central bank digital currency mock testing started in August 2021. The South...

Technology

It wasn’t all that difficult to be perceived as a technology bigwig in the mid-90s. All you really needed to impress the masses was...

Online Business Success

Screengrab via Geo News KARACHI: In line with market expectations, the State Bank of Pakistan (SBP) on Monday maintained the status quo and left...

Online Business Success

Currency notes of Rs1,000 and $100 can be seen in this file photo. — Reuters Rupee closes at 176.49 against the US dollar in...

Social Media

As marketers search for creative ways to reach new leads, newsletter advertising is becoming a staple in the industry. With effective targeting and high...

Advertisement

You May Also Like

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

SEO Guide

How to index website on Google? Do you want to drive more organic traffic to your new website? I am sure your answer is...

Blogging

In this post, I will discuss the top ten profitable blogging niches ideas for Adsense approval and high traffic. whether you use Blogger or...

SEO Guide

Want to rank in Google image search? Images that you use as a featured images when writing a post actually appear on Google Images...

Advertisement