A piece of ransomware that emerged in late November has already made three victims, with the first of them hit less than a week after the malware was initially spotted.
Dubbed Rook, the ransomware shows numerous similarities with Babuk, and security researchers have discovered that it was in fact built using Babuk code that was leaked online earlier this year.
Rook was initially seen on VirusTotal on November 26, and its first victim – a Kazakh financial institution – was identified on November 30. In addition to encrypting the organization’s files, the Rook gang stole roughly 1 terabyte of data, to use it for extortion.
The ransomware is being distributed via a third-party framework, such as Cobalt Strike, but SentinelOne’s SentinelLabs researchers say that phishing emails carrying Rook have been observed as well.
[ READ: FBI Warns of Cuba Ransomware Attacks on Critical Infrastructure ]
Once executed on the victim’s machine, the malware attempts to terminate all processes that may impede the encryption process. The attackers also attempt to disable security products, as well as to delete volume shadow copies, to prevent victims from recovering their data.
During the encryption, the ransomware appends the .ROOK extension to the encrypted files and, once the process has been completed, it deletes itself from the machine.
“There are a number of code similarities between Rook and Babuk. Based on the samples available so far, this appears to be an opportunistic result of the various Babuk source-code leaks we have seen over 2021, including leaks of both the compiled builders as well as the actual source,” SentinelLabs says.
Both malware families use: the same API to retrieve service name and status (they enumerate all services to stop those in a hardcoded list); the same functions to enumerate running processes and terminate those in a hardcoded list; the Windows Restart Manager API for process termination; and similar code for drive enumeration; and both perform a series of environmental checks.
Rook’s operators engage in double-extortion, threatening victims to make stolen data public unless a ransom is paid in exchange for a decryption tool.
On their website on the Tor network, the gang has already listed three victim companies and data stolen from those that proved uncooperative.
“Given the economics of ransomware – high reward for low risk – and the ready availability of source code from leaks like Babuk, it’s inevitable that the proliferation of new ransomware groups we’re seeing now is only going to continue,” SentinelLabs concludes.
Related: Babuk Ransomware Seen Exploiting ProxyShell Vulnerabilities
Related: Free Decryption Tools Available for Babuk, AtomSilo and LockFile Ransomware
Related: VirusTotal Shares Analysis of 80 Million Ransomware Samples