New Rook Ransomware Feeds Off the Code of Babuk

The ransomware attempts to terminate any process that may interfere with encryption.
Interestingly, the kph.sys driver from Process Hacker come into play in process termination in some cases but not others.
This likely reflects the attacker’s need to leverage the driver to disable certain local security solutions on specific engagements.

There are numerous process names, service names and folder names included in each sample’s configuration.
For example, in sample 19CE538B2597DA454ABF835CFF676C28B8EB66F7, the following processes, services and folders are excluded from the encryption process:

Processes names skipped:
sql.exe
oracle.exe
ocssd.exe
dbsnmp.exe
visio.exe
winword.exe
wordpad.exe
notepad.exe
excel.exe
onenote.exe
outlook.exe
synctime.exe
agntsvc.exe
isqlplussvc.exe
xfssvccon.exe
mydesktopservice.exe
ocautoupds.exe
encsvc.exe
firefox.exe
tbirdconfig.exe
mydesktopqos.exe
ocomm.exe
dbeng50.exe
sqbcoreservice.exe
infopath.exe
msaccess.exe
mspub.exe
powerpnt.exe
steam.exe
thebat.exe
thunderbird.exe

Service names terminated:
memtas
mepocs
veeam
backup
GxVss
GxBlr
GxFWD
GxCVD
GxCIMgr
DefWatch
ccEvtMgr
ccSetMgr
SavRoam
RTVscan
QBFCService
QBIDPService
Intuit.QuickBooks.FCS
QBCFMonitorService
AcrSch2Svc
AcronisAgent
CASAD2DWebSvc
CAARCUpdateSvc

Folders names skipped:
Program Files
Program Files (x86)
AppData
Windows
Windows.old
Tor Browser
Internet Explorer
Google
Opera
Opera Software
Mozilla

File names skipped:
autorun.inf
boot.ini
bootfont.bin
bootsect.bak
bootmgr
bootmgr.efi
bootmgfw.efi
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db

As with most modern ransomware families, Rook will also attempt to delete volume shadow copies to prevent victims from restoring from backup. This is achieved via vssadmin.exe.

Sign Up For Threat Alerts

Loading...
Threats Icon

Jan 18, 2022

Destructive malware targeting Ukrainian organizations

Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting multiple...

Threats Icon

Jan 17, 2022

Iranian MOIS hacker group MuddyWater

Iranian MOIS hacker group MuddyWater is using a suite of malware to conduct espionage and...

Threats Icon

Jan 16, 2022

Abcbot – An Evolution of Xanthe

Abcbot, the emerging botnet that was recently analyzed and reported on, has a longer history...

Threats Icon

Jan 13, 2022

Night Sky is the latest ransomware targeting...

According to MalwareHunterTeam, who first spotted the new ransomware, the Night Sky operation has two...

Threats Icon

Jan 12, 2022

New SysJoker Backdoor Targets Windows, Linux, and...

Malware targeting multiple operating systems has become no exception in the malware threat landscape. Vermilion...

Threats Icon

Jan 10, 2022

New Konni Campaign Targeting Russian Ministry Of...

Black Lotus Labs, the threat research team of Lumen Technologies, uncovered a series of targeted...

Threats Icon

Jan 09, 2022

Elephant Beetle

Sygnia's Incident Response (IR) team has been tracking a financially motivated threat group targeting and...

Threats Icon

Jan 06, 2022

A Simple Batch File That Blocks Computer...

The script uses the BlockInput() API call through a PowerShell one-liner, which blocks interaction with...

Threats Icon

Jan 05, 2022

New Zloader Banking Malware Campaign Exploiting Microsoft...

An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and a nine-year-old...

Threats Icon

Jan 04, 2022

Malicious Telegram Installer Drops Purple Fox Rootkit

This installer is a compiled AutoIt (a freeware BASIC-like scripting language designed for automating Windows...

Threats Icon

Jan 04, 2022

The dirty dozen of Latin America: From...

Latin American banking trojans are an ongoing, evolving threat They target mainly Brazil, Spain, and...

Threats Icon

Jan 02, 2022

Flagpro: The new malware used by BlackTech

BlackTech has been actively attacking, some attack cases against Japanese companies were observed. BlackTech uses...

Threats Icon

Dec 29, 2021

Dridex Distributed with “Merry Christmas!” Excel File

Dridex is a banking malware that collects a user's banking credentials and performs malicious behaviors...

Threats Icon

Dec 27, 2021

Malicious Notepad++ installers push StrongPity malware

The sophisticated hacking group known as StrongPity is circulating laced Notepad++ installers that infect targets...

Threats Icon

Dec 26, 2021

“Spider-Man: No Way Home” Download Installs Cryptominer

The origin of the Monero cryptominer file has been traced to a Russian torrent website,...