Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Organizations Targeted With Babuk-Based Rook Ransomware

A piece of ransomware that emerged in late November has already made three victims, with the first of them hit less than a week after the malware was initially spotted.

A piece of ransomware that emerged in late November has already made three victims, with the first of them hit less than a week after the malware was initially spotted.

Dubbed Rook, the ransomware shows numerous similarities with Babuk, and security researchers have discovered that it was in fact built using Babuk code that was leaked online earlier this year.

Rook was initially seen on VirusTotal on November 26, and its first victim – a Kazakh financial institution – was identified on November 30. In addition to encrypting the organization’s files, the Rook gang stole roughly 1 terabyte of data, to use it for extortion.

The ransomware is being distributed via a third-party framework, such as Cobalt Strike, but SentinelOne’s SentinelLabs researchers say that phishing emails carrying Rook have been observed as well.

[ READ: FBI Warns of Cuba Ransomware Attacks on Critical Infrastructure ]

Once executed on the victim’s machine, the malware attempts to terminate all processes that may impede the encryption process. The attackers also attempt to disable security products, as well as to delete volume shadow copies, to prevent victims from recovering their data.

During the encryption, the ransomware appends the .ROOK extension to the encrypted files and, once the process has been completed, it deletes itself from the machine.

“There are a number of code similarities between Rook and Babuk. Based on the samples available so far, this appears to be an opportunistic result of the various Babuk source-code leaks we have seen over 2021, including leaks of both the compiled builders as well as the actual source,” SentinelLabs says.

Both malware families use: the same API to retrieve service name and status (they enumerate all services to stop those in a hardcoded list); the same functions to enumerate running processes and terminate those in a hardcoded list; the Windows Restart Manager API for process termination; and similar code for drive enumeration; and both perform a series of environmental checks.

Rook’s operators engage in double-extortion, threatening victims to make stolen data public unless a ransom is paid in exchange for a decryption tool.

On their website on the Tor network, the gang has already listed three victim companies and data stolen from those that proved uncooperative.

“Given the economics of ransomware – high reward for low risk – and the ready availability of source code from leaks like Babuk, it’s inevitable that the proliferation of new ransomware groups we’re seeing now is only going to continue,” SentinelLabs concludes.

Related: Babuk Ransomware Seen Exploiting ProxyShell Vulnerabilities

Related: Free Decryption Tools Available for Babuk, AtomSilo and LockFile Ransomware

Related: VirusTotal Shares Analysis of 80 Million Ransomware Samples

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The City of Oakland has disclosed a ransomware attack that impacted several non-emergency systems.