Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Data Sheets
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoStart Free Trial
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Data Sheets
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoStart Free Trial

Rook: New Ransomware in the market scavenges code from Babuk

Threat Level – Red | Vulnerability Report
Download PDF

For a detailed advisory, download the pdf file here.

Security researchers found new ransomware dubbed as Rook that reuses the code from Babuk which was released earlier. It was initially seen on VirusTotal on November 26th and pwned its first victim, a Kazkh financial organization from whom Rook stole 1128GB of data on November 30th.

Rook ransomware invades a victim’s system through a third-party framework, such as Cobalt Strike, or through a phishing email. Individual samples are typically UPX-packed, but other packers/crypters, such as VMProtect, have been also observed. When executed, it attempts to terminate processes associated with security tools or anything else that could interfere with encryption. Because no persistence mechanisms have been discovered, Rook will encrypt the files, append the “.Rook” extension, and then delete itself from the compromised system. 

Rook has been linked to Babuk due to the following reasons: •The same API calls are used to retrieve the name and status of each running service, as well as the same functions are used to terminate them. •The list of stopped processes and Windows services is the same for both ransomwares. •Both checks to see if the sample is operating on 64-bit OS before deleting the disk shadow from the victim’s machine. •Both uses Windows Restart Manager API to assist with process termination, including processes associated with Microsoft Office programs and the popular gaming platform Steam •Uses similar code for enumeration of local drives.

Organizations should educate employees about phishing to avoid getting targeted by ransomwares such as Rook, Babuk etc.

The TTPs used by Rook include:

TA0001 – Initial Access

T1566 – Phishing

TA0002 – Execution

T1059 – Command and Scripting Interpreter

TA0005 – Defense Evasion

T1027 – Obfuscated Files or Information

T1027.002 – Obfuscated Files or Information: Software Packing

T1562 – Impair Defenses

TA0007 – Discovery

T1007 – System Service Discovery

T1082 – System Information Discovery

TA0011 – Command and Control

T1090 – Proxy

TA0010 – Exfiltration

TA0040 – Impact T1490 – Inhibit System Recovery

Indicators of Compromise(IoCs)

References

https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/

https://otx.alienvault.com/pulse/61c986f940126b3db3bf70e4/

https://www.bleepingcomputer.com/news/security/rook-ransomware-is-yet-another-spawn-of-the-leaked-babuk-code/

Indicators of Compromise(IoCs)

References

https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/

https://otx.alienvault.com/pulse/61c986f940126b3db3bf70e4/

https://www.bleepingcomputer.com/news/security/rook-ransomware-is-yet-another-spawn-of-the-leaked-babuk-code/

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox