Leaked Babuk code birthed the new Rook ransomware

February 4, 2022
Leaked Babuk Code Rook Ransomware Malware Threat Intelligence

A new malicious operation utilising Rook ransomware has emerged recently, announcing a desperate urge to generate a lot of money by encrypting devices and breaching networks. Although their statements written on their leak site were quirky and underwhelming, the first announcements on the leak site of Rook have made it clear that they are seriously looking for a huge payday.

Researchers have investigated this new strain, uncovering Rook’s infection chain, technical details, and similarities to the Babuk ransomware group.

The Rook ransomware payload is usually sent via Cobalt Strike beacon, suspicious torrent downloads, and phishing emails reported as the initial infection transmitter. The payloads contained UPX or other crypter to prevent security solutions from detecting the malware. After execution, the ransomware will try to stop processes related to security tools or anything that could hinder or obstruct the encryption stage.

Moreover, the researchers stated that this action of the actors shows that they need to leverage the driver to incapacitate specific local security solutions on engagements. Rook ransomware uses ‘vssadmin.exe’ to remove volume shadow copies, a usual strategy utilised by campaigns to prevent shadow volumes from being employed to recover encrypted files.

Fortunately, researchers did not discover any persistence mechanisms, so Rook will encrypt the files, attach the [.]Rook extension, and then remove itself from the infected network.

 

The researchers discovered several code similarities between Babuk and Rook ransomware. Last September, these two ransomware operations had their complete source code revealed on a Russian-speaking forum.

 

For example, Babuk and Rook both use the same API calls to recover the name and status of each active service and the same functions to stop them. The list of processes and Windows features that are terminated are identical for both ransomware operations and includes the MS Office and Outlook email client, Mozilla Firefox, and the Stream gaming Platform.

Other similarities include how the encryptor removes shadow volume files, how it identifies local drives, and how it utilises the Windows Restart Manager API.

Due to these code identicality, many researchers claim that Rook’s blueprint came for the code of Babuk operations.

About the author