New Rook Ransomware Feeds Off the Code of Babuk

The ransomware attempts to terminate any process that may interfere with encryption. Interestingly, the kph.sys driver from Process Hacker come into play in process termination in some cases but not others. This likely reflects the attacker’s need to leverage the driver to disable certain local security solutions on specific engagements. There are numerous process names, service names and folder names included in each sample’s configuration. For example, in sample 19CE538B2597DA454ABF835CFF676C28B8EB66F7, the following processes, services and folders are excluded from the encryption process: Processes names skipped: sql.exe oracle.exe ocssd.exe dbsnmp.exe visio.exe winword.exe wordpad.exe notepad.exe excel.exe onenote.exe outlook.exe synctime.exe agntsvc.exe isqlplussvc.exe xfssvccon.exe mydesktopservice.exe ocautoupds.exe encsvc.exe firefox.exe tbirdconfig.exe mydesktopqos.exe ocomm.exe dbeng50.exe sqbcoreservice.exe infopath.exe msaccess.exe mspub.exe powerpnt.exe steam.exe thebat.exe thunderbird.exe Service names terminated: memtas mepocs veeam backup GxVss GxBlr GxFWD GxCVD GxCIMgr DefWatch ccEvtMgr ccSetMgr SavRoam RTVscan QBFCService QBIDPService Intuit.QuickBooks.FCS QBCFMonitorService AcrSch2Svc AcronisAgent CASAD2DWebSvc CAARCUpdateSvc Folders names skipped: Program Files Program Files (x86) AppData Windows Windows.old Tor Browser Internet Explorer Google Opera Opera Software Mozilla File names skipped: autorun.inf boot.ini bootfont.bin bootsect.bak bootmgr bootmgr.efi bootmgfw.efi desktop.ini iconcache.db ntldr ntuser.dat ntuser.dat.log ntuser.ini thumbs.db As with most modern ransomware families, Rook will also attempt to delete volume shadow copies to prevent victims from restoring from backup. This is achieved via vssadmin.exe.