Threat Research

  • Private Community
 View Only

TAU-TIN-Rook-Ransomware

By Sagar Daundkar posted Dec 20, 2021 09:31 AM

  

Threat Analysis Unit - Threat Intelligence Notification

Title: Rook Ransomware

 

Summary

A newly discovered Rook ransomware threatens to leak victim’s data if they do not contact and pay the demanded amount of ransom to the attacker. It also deletes the volume shadow copies, preventing victims from recovering their data. Rook has many similarities with Babuk Ransomware from its style of ransom note to its code reuse.

Behavioral Summary

Rook Ransomware may append extensions like “.Rook” to each of the encrypted files. Other than that, it will create a ransom note in every folder named “HowToRestoreYourFiles.txt”.

rook_note.jpg

Figure 1. Screenshot of ransom note

In addition, Rook ransomware would perform volume shadow copy deletion, preventing victims from recovering encrypted data.  The Rook ransomware process chart is as shown in Figure 2 below:rook_processtree.JPGFigure 2: Process Chart of Rook Ransomware

It also prints the console log of each stage on command prompt, the same is shown in Figure 3 below.rook_console.jpgFigure 3: Console log of ransomware

Rook also stores the Public Key and Private Key used for encryption in the below registries, but later erases them:

  • HKEY_CURRENT_USER\Software\RookPublicKey
  • HKEY_CURRENT_USER\Software\RookPrivateKey

Rook creates a mutex named “asfgjkl878645165456fa888” to avoid running multiple occurrences at the same time. Furthermore, it will terminate Windows services and processes that are hardcoded in the binary as listed in the following table 1 and table 2:

memtas backup DefWatch QBIDPService
mepacs GxVss ccEvtMgr Intuit.QuickBooks.FCS
vss GxBlr ccSetMgr QBCFMonitorService
sql GxFWD SavRoam AcrSch2Svc
svc$ GxCVD RTVscan AcronisAgent
veeam GxCIMgr QBFCService CASAD2DWebSvc
CAARCUpdateSvc      
Table 1: List of services to be terminate
 

sql.exe

excel.exe

ocautoupds.exe

infopath.exe

oracle.exe

onenote.exe

encsvc.exe

msaccess.exe

ocssd.exe

outlook.exe

firefox.exe

mspub.exe

dbsnmp.exe

synctime.exe

tbirdconfig.exe

powerpnt.exe

visio.exe

agntsvc.exe

mydesktopqos.exe

steam.exe

winword.exe

isqlplussvc.exe

ocomm.exe

thebat.exe

wordpad.exe

xfssvccon.exe

dbeng50.exe

thunderbird.exe

notepad.exe

mydesktopservice.exe

sqbcoreservice.exe

  
Table 2: List of application to be terminate

 

Rook has a list of files and folders to exclude from encryption as shown in Table 3.

Mozilla Firefox

bootmgr

ntuser.ini

Tor Browser

$Recycle.Bin

bootmgr.efi

thumbs.db

Internet Explorer

ProgramData

bootmgfw.efi

Program Files

Google

All Users

desktop.ini

Program Files (x86)

Opera

autorun.inf

iconcache.db

AppData

Opera Software

boot.ini

ntldr

Boot

Mozilla

bootfont.bin

ntuser.dat

Windows

#recycle

bootsect.bak

ntuser.dat.log

Windows.old

  
Table 3: List of files and folders to avoid encryption

 

Customer Protection

Rook Ransomware is blocked and detected by existing policies within VMware Carbon Black products. To learn more about further ransomware behaviour, detection and protection capabilities within the VMware Carbon Black suite of products against Rook Ransomware, you may refer to the following blog post:

TAU-TIN - Ransomware Threats

 

Indicators of Compromise (IOCs)

Indicator

Type

Context

f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789

SHA256

Rook Ransomware

104d9e31e34ba8517f701552594f1fc167550964

SHA1

Rook Ransomware

bec9b3480934ce3d30c25e1272f60d02

MD5

Rook Ransomware
Table 4. Indicator of compromise

 

About TAU-TIN

TAU-TIN (Threat Analysis Unit - Threat Intelligence Notification) is a report by Carbon Black's TAU (Threat Analysis Unit) to help customers detect and prevent emerging threats.

To receive future notifications, navigate to the TAU-TIN label on UeX and then click Subscribe.


#TAU-TIN
0 comments
0 views

Permalink