The ransomware attempts to terminate any process that may interfere with encryption.
Interestingly, the kph.sys driver from Process Hacker come into play in process termination in some cases but not others.
This likely reflects the attacker’s need to leverage the driver to disable certain local security solutions on specific engagements.
There are numerous process names, service names and folder names included in each sample’s configuration.
For example, in sample 19CE538B2597DA454ABF835CFF676C28B8EB66F7, the following processes, services and folders are excluded from the encryption process:
Processes names skipped:
sql.exe
oracle.exe
ocssd.exe
dbsnmp.exe
visio.exe
winword.exe
wordpad.exe
notepad.exe
excel.exe
onenote.exe
outlook.exe
synctime.exe
agntsvc.exe
isqlplussvc.exe
xfssvccon.exe
mydesktopservice.exe
ocautoupds.exe
encsvc.exe
firefox.exe
tbirdconfig.exe
mydesktopqos.exe
ocomm.exe
dbeng50.exe
sqbcoreservice.exe
infopath.exe
msaccess.exe
mspub.exe
powerpnt.exe
steam.exe
thebat.exe
thunderbird.exe
Service names terminated:
memtas
mepocs
veeam
backup
GxVss
GxBlr
GxFWD
GxCVD
GxCIMgr
DefWatch
ccEvtMgr
ccSetMgr
SavRoam
RTVscan
QBFCService
QBIDPService
Intuit.QuickBooks.FCS
QBCFMonitorService
AcrSch2Svc
AcronisAgent
CASAD2DWebSvc
CAARCUpdateSvc
Folders names skipped:
Program Files
Program Files (x86)
AppData
Windows
Windows.old
Tor Browser
Internet Explorer
Google
Opera
Opera Software
Mozilla
File names skipped:
autorun.inf
boot.ini
bootfont.bin
bootsect.bak
bootmgr
bootmgr.efi
bootmgfw.efi
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
As with most modern ransomware families, Rook will also attempt to delete volume shadow copies to prevent victims from restoring from backup. This is achieved via vssadmin.exe.
Sign Up For Threat Alerts
Jul 04, 2023
Rhysida Ransomware RaaS Crawls Out of Crimeware...
The Rhysida ransomware-as-a-service (RaaS) group has gone from a dubious newcomer to a fully-fledged ransomware...
Jun 26, 2023
Operation Magalenha – Long-Running Campaign Pursues Portuguese...
The attackers can steal credentials and exfiltrate users' data and personal information, which can be...
Apr 24, 2023
Lazarus Group Adds Linux Malware to Arsenal...
Researchers have discovered a new campaign conducted by Lazarus, known as "Operation DreamJob," which targets...
Apr 23, 2023
Additional IOCs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed.
Apr 23, 2023
Ex-Conti and FIN7 Actors Collaborate with New...
IBM Security X-Force recently discovered a new malware family Analysts have called "Domino," which Analysts...
Apr 20, 2023
AuKill EDR killer malware abuses Process Explorer...
The AuKill tool abuses an outdated version of the driver used by version 16.32 of...
Apr 20, 2023
Fake Chrome updates spread malware
A campaign running since the end of last year is using hacked sites to push...
Apr 20, 2023
QBot using new attack vector in its...
QBot, also known as QakBot, previously operated as a banking trojan and has since transformed...
Apr 20, 2023
CrossLock Ransomware Emerges: New Golang – Based...
The CrossLock ransomware employs the double extortion technique to increase the likelihood of payment from...
Apr 20, 2023
Windows Zero-Day Vulnerability CVE-2023-28252 Exploited by Nokoyawa...
A zero-day vulnerability in the Microsoft Windows system, which also affects Windows 11, has been...
Apr 18, 2023
Additional IOcs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...
Apr 18, 2023
Additional IOcs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...
Apr 18, 2023
APT36 Expands Interest Within Indian Education Sector
Symantec described UPS in 2016 report as Buckeye (also known as APT3 Gothic Panda UPS...
Apr 17, 2023
ChinaZ DDoS Bot Malware Distributed To Linux...
The ChinaZ DDoS bot malware was discovered targeting Linux systems while a version for Microsoft...
Apr 16, 2023
Resurgence Of The Mexals Cryptojacking Campaign
The Mexals crypto jacking campaign has been in operation since at least 2021 and continues...