Rook, a new ransomware that targets corporate networks and encrypts devices, has been discovered. Experts have observed coding similarities between the Rook and Babuk malware.
The Rook ransomware was discovered on VirusTotal in November and garnered attention for the manner its operators identified themselves.
Phishing emails and fake torrent downloads are used to spread Rook ransomware payloads.
To evade detection, it uses third-party tools such as CobaltStrike, and the payloads are packed using UPX or other crypters.
The data leak site currently lists two victims: a bank and an Indian aviation and aerospace specialist.
When the ransomware is executed, it uses the kph[.]sys driver from Process Hacker or other tools to try to terminate processes that could disrupt the encryption process.
On specific events, hackers use the kph[.]sys driver to disable some specific local security solutions. It encrypts files, adds the ‘.Rook,’ extension and then deletes itself.
The ransomware deletes volume shadow copies with vssadmin[.]exe, a common method employed by ransomware groups to prevent shadow volumes from being used to restore encrypted files.
Similarities with Babuk Ransomware
SentinelLabs researchers discovered several code similarities with the Babuk ransomware, a RaaS that had its whole source code leaked on a Russian speaking forum in June.
Rook uses the same API calls to obtain the name/status of running services, as well as the functions to terminate them.
Furthermore, both ransomware have the identical list of processes and Windows services that are stopped.
The encryptor deletes shadow volumes in a similar manner, as does the enumeration of local drives and the use of the Windows Restart Manager API.
As a result, researchers believe Rook may based on the Babuk.
Rook is said to be based on the Babuk ransomware’s leaked source code, according to opinion of experts. It has the potential to become a severe threat in the future. Hence, organizations should always be prepared with robust cyber defenses and backups.