The ransomware attempts to terminate any process that may interfere with encryption.
Interestingly, the kph.sys driver from Process Hacker come into play in process termination in some cases but not others.
This likely reflects the attacker’s need to leverage the driver to disable certain local security solutions on specific engagements.
There are numerous process names, service names and folder names included in each sample’s configuration.
For example, in sample 19CE538B2597DA454ABF835CFF676C28B8EB66F7, the following processes, services and folders are excluded from the encryption process:
Processes names skipped:
Service names terminated:
Folders names skipped:
Program Files (x86)
File names skipped:
As with most modern ransomware families, Rook will also attempt to delete volume shadow copies to prevent victims from restoring from backup. This is achieved via vssadmin.exe.
Sign Up For Threat Alerts
Jan 18, 2022
Destructive malware targeting Ukrainian organizations
Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting multiple...
Jan 17, 2022
Iranian MOIS hacker group MuddyWater
Iranian MOIS hacker group MuddyWater is using a suite of malware to conduct espionage and...
Jan 16, 2022
Abcbot – An Evolution of Xanthe
Abcbot, the emerging botnet that was recently analyzed and reported on, has a longer history...
Jan 13, 2022
Night Sky is the latest ransomware targeting...
According to MalwareHunterTeam, who first spotted the new ransomware, the Night Sky operation has two...
Jan 12, 2022
New SysJoker Backdoor Targets Windows, Linux, and...
Malware targeting multiple operating systems has become no exception in the malware threat landscape. Vermilion...
Jan 10, 2022
New Konni Campaign Targeting Russian Ministry Of...
Black Lotus Labs, the threat research team of Lumen Technologies, uncovered a series of targeted...
Jan 09, 2022
Sygnia's Incident Response (IR) team has been tracking a financially motivated threat group targeting and...
Jan 06, 2022
A Simple Batch File That Blocks Computer...
The script uses the BlockInput() API call through a PowerShell one-liner, which blocks interaction with...
Jan 05, 2022
New Zloader Banking Malware Campaign Exploiting Microsoft...
An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and a nine-year-old...
Jan 04, 2022
Malicious Telegram Installer Drops Purple Fox Rootkit
This installer is a compiled AutoIt (a freeware BASIC-like scripting language designed for automating Windows...
Jan 04, 2022
The dirty dozen of Latin America: From...
Latin American banking trojans are an ongoing, evolving threat They target mainly Brazil, Spain, and...
Jan 02, 2022
Flagpro: The new malware used by BlackTech
BlackTech has been actively attacking, some attack cases against Japanese companies were observed. BlackTech uses...
Dec 29, 2021
Dridex Distributed with “Merry Christmas!” Excel File
Dridex is a banking malware that collects a user's banking credentials and performs malicious behaviors...
Dec 27, 2021
Malicious Notepad++ installers push StrongPity malware
The sophisticated hacking group known as StrongPity is circulating laced Notepad++ installers that infect targets...
Dec 26, 2021
“Spider-Man: No Way Home” Download Installs Cryptominer
The origin of the Monero cryptominer file has been traced to a Russian torrent website,...