New Rook Ransomware Feeds Off the Code of Babuk

By Jim Walter and Niranjan Jayanand

First noticed on VirusTotal on November 26th by researcher Zack Allen, Rook Ransomware initially attracted attention for the operators’ rather unorthodox self-introduction, which stated that “We desperately need a lot of money” and “We will stare at the internet”.

These odd pronouncements prompted some mirth on social media, but they were followed a few days later by more serious news. On November 30th, Rook claimed its first victim: a Kazkh financial institution from which the Rook operators had stolen 1123 GB of data, according to the gang’s victim website. Further victims have been claimed since then.

In this post, we offer the first technical write up of the Rook ransomware family, covering both its main high-level features and its ties to the Babuk codebase.

Technical Details

Rook ransomware is primarily delivered via a third-party framework, for example Cobalt Strike; however, delivery via phishing email has also been reported in the wild.

Individual samples are typically UPX packed, although alternate packers/crypters have been observed such as VMProtect.

Upon execution, Rook samples pop a command window, with differing output displayed. For example, some versions show the output path for kph.sys (a component of Process Hacker), while others display inaccurate information around the use of ADS (Alternate Data Streams).

False ADS message Rook dropping kph.sys

The ransomware attempts to terminate any process that may interfere with encryption. Interestingly, we see the kph.sys driver from Process Hacker come into play in process termination in some cases but not others. This likely reflects the attackers need to leverage the driver to disable certain local security solutions on specific engagements.

There are numerous process names, service names and folder names included in each samples’ configuration. For example, in sample 19CE538B2597DA454ABF835CFF676C28B8EB66F7, the following processes, services and folders are excluded from the encryption process:

Processes names skipped:

sql.exe
oracle.exe
ocssd.exe
dbsnmp.exe
visio.exe
winword.exe
wordpad.exe
notepad.exe
excel.exe
onenote.exe
outlook.exe
synctime.exe
agntsvc.exe
isqlplussvc.exe
xfssvccon.exe
mydesktopservice.exe
ocautoupds.exe
encsvc.exe
firefox.exe
tbirdconfig.exe
mydesktopqos.exe
ocomm.exe
dbeng50.exe
sqbcoreservice.exe
infopath.exe
msaccess.exe
mspub.exe
powerpnt.exe
steam.exe
thebat.exe
thunderbird.exe

Service names terminated:

memtas
mepocs
veeam
backup
GxVss
GxBlr
GxFWD
GxCVD
GxCIMgr
DefWatch
ccEvtMgr
ccSetMgr
SavRoam
RTVscan
QBFCService
QBIDPService
Intuit.QuickBooks.FCS
QBCFMonitorService
AcrSch2Svc
AcronisAgent
CASAD2DWebSvc
CAARCUpdateSvc

Folders names skipped:

Program Files
Program Files (x86)
AppData
Windows
Windows.old
Tor Browser
Internet Explorer
Google
Opera
Opera Software
Mozilla

File names skipped:

autorun.inf
boot.ini
bootfont.bin
bootsect.bak
bootmgr
bootmgr.efi
bootmgfw.efi
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db

As with most modern ransomware families, Rook will also attempt to delete volume shadow copies to prevent victims from restoring from backup. This is achieved via vssadmin.exe.

Rook & vssadmin.exe as seen in SentinelOne console
The following syntax is used:

vssadmin.exe delete shadows /all /quiet

All files eligible for encryption are modified with the .ROOK extension.

.ROOK extension on affected files

In the samples we analyzed, no persistence mechanisms were observed, and after the malware runs through its execution, it cleans up by deleting itself.

Babuk Overlaps

There are a number of code similarities between Rook and Babuk. Based on the samples available so far, this appears to be an opportunistic result of the various Babuk source-code leaks we have seen over 2021, including leaks of both the compiled builders as well as the actual source. On this basis, we surmise that Rook is just the latest example of an apparent novel ransomware capitalizing on the ready availability of Babuk source-code.

Babuk and Rook use EnumDependentServicesA API to retrieve the name and status of each service that depends on the specified service before terminating. They enumerate all services in the system and stop all of those which exist in a hardcoded list in the malware. Using OpenSCManagerA API, the code gets the Service Control Manager, gets the handle and then enumerates all services in the system.

Rook enumerates all services
Veeam
Backup
GxVss
GxBlr
GxFWD
GxCVD
GXCIMgr
DefWatch
ccEvtMgr
ccSetMgr
SavRoam
RTVscan
QBFCService
QBIDPService
Intuit.QuickBooks.FCS
QBFCMonitorService
YooBAckup
YooIT
Zhudongfangyu
Sophos
Stc_raw_agent
VSNAPVSS
VeeamTransportSvc
VeeamDeploymentService
VeeamNFSSvc
Veeam
PDVFSService
BackupExecVSSProvider
BackupExecAgentAccelerator
BackupExecAgentBrowser
BackupExecDiveciMediaService
BackupExecJobEngine
BackupExecManagementService
BackupExecRPCServiceAcrSch25vc
AcronisAgent
CASAD2DWebSvc
CAARCUpdateSvc
Rook service termination

In addition, both Rook and Babuk use the functions CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, OpenProcess, and TerminateProcess to enumerate running processes and kill any found to match those in a hardcoded list.

Babuk and Rook share the same process exclusion list

Also similar is the use of the Windows Restart Manager API to aid with process termination, which includes processes related to MS Office products and the popular gaming platform Steam.

Babuk Process termination

We also noted overlap with regards to some of the environmental checks and subsequent behaviors, including the removal of Volume Shadow Copies.

Both Babuk and Rook check if the sample is executed in a 64-bit OS, then delete the shadow volumes of the user machine. The code flows to Wow64DisableWow64FsRedirection to disable file system redirection before calling ShellExecuteW to delete shadow copies.

Babuk VSS deletion (similar to Rook)

Babuk and Rook implement similar code for enumerating local drives. Rook checks for the local drives alphabetically as shown below.

Enumerating local drives

The Rook Victim Website

Like other recent ransomware varieties, Rook embraces a dual-pronged extortion approach: an initial demand for payment to unlock encrypted files, followed by public threats via the operators’ website to leak exfiltrated data should the victim fail to comply with the ransom demand.

Rook’s welcome message (TOR-based website)

This TOR-based site is used to name victims and host any data should the victim decide not to cooperate. Rook also uses the site to openly boast of having the “latest vulnerability database” and “we can always penetrate the target system” as well as their desire for success: “We desperately need a lot of money”.

These statements appear under the heading of “why us?” and could be intended to attract affiliates as well as convince victims that they mean business.

About Rook (TOR-based website)
At the time of writing, three companies have been listed on the Rook blog, spanning different industries.

Expanded victim data

Conclusion

Given the economics of ransomware – high reward for low risk – and the ready availability of source code from leaks like Babuk, it’s inevitable that the proliferation of new ransomware groups we’re seeing now is only going to continue. Rook may be here today and gone tomorrow, or it could stick around until the actors behind it decide they’ve had enough (or made enough), but what is certain is that Rook won’t be the last malware we see feeding off the leaked Babuk code.

Add that to the incentive provided by recent vulnerabilities such as log4j2 that can allow initial access without great technical skill, and enterprise security teams have a recipe for a busy year ahead. Prevention is critical, along with well-documented and tested DRP and BCP procedures. All SentinelOne customers are protected from Rook ransomware.

Indicators of Compromise

SHA1
104d9e31e34ba8517f701552594f1fc167550964
19ce538b2597da454abf835cff676c28b8eb66f7
36de7997949ac3b9b456023fb072b9a8cd84ade8

SHA256
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789
c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac
96f7df1c984c1753289600f7f373f3a98a4f09f82acc1be8ecfd5790763a355b

MITRE ATT&CK
T1027.002 – Obfuscated Files or Information: Software Packing
T1007 – System Service Discovery
T1059 – Command and Scripting Interpreter
TA0010 – Exfiltration
T1082 – System Information Discovery
T1490 – Inhibit System Recovery

Article Link: New Rook Ransomware Feeds Off the Code of Babuk - SentinelOne