SentinelLabs cybersecurity researchers have announced the emergence of a new ransomware called Rook, which has many overlaps with Babuk ransomware.
According to Aftana (information technology security news site), a new ransomware group called Rook has recently appeared in cyberspace. According to the group, they are in dire need of large sums of money and are raising it through hacking into corporate networks and device encryption.
Researchers at SentinelLabs have carefully examined the group and found overlaps between it and the Babuk ransomware.
Rook ransomware download is transmitted via cobalt strike. Phishing emails and mysterious downloads are reported to be the main sources of infection.
These plugins come with UPX or other encryption that helps to prevent them from being detected. When this ransomware runs, it destroys processes associated with security tools or anything that interferes with encryption. Rook also removes volume shadow service copies using vssadmin.exe. This standard tactic is used by the Volume Shadow recovery service to prevent file recovery.
So it encrypts the files and, after attaching the Rook plugin to it removes itself from the compromised system.
SentinelLabs have found several coding similarities between Rook and Babuk. Based on these similarities, Sentinel One claims that Rook is based on a leaked source code for the Babuk ransomware group.
It’s too early to talk about the complexity of rook attacks, but the consequences of their contamination are still severe and will lead to cryptography and data theft.