Threat Analysis Unit - Threat Intelligence Notification
Title: Rook Ransomware
Summary
A newly discovered Rook ransomware threatens to leak victim’s data if they do not contact and pay the demanded amount of ransom to the attacker. It also deletes the volume shadow copies, preventing victims from recovering their data. Rook has many similarities with Babuk Ransomware from its style of ransom note to its code reuse.
Behavioral Summary
Rook Ransomware may append extensions like “.Rook” to each of the encrypted files. Other than that, it will create a ransom note in every folder named “HowToRestoreYourFiles.txt”.
Figure 1. Screenshot of ransom note
In addition, Rook ransomware would perform volume shadow copy deletion, preventing victims from recovering encrypted data. The Rook ransomware process chart is as shown in Figure 2 below:Figure 2: Process Chart of Rook Ransomware
It also prints the console log of each stage on command prompt, the same is shown in Figure 3 below.Figure 3: Console log of ransomware
Rook also stores the Public Key and Private Key used for encryption in the below registries, but later erases them:
- HKEY_CURRENT_USER\Software\RookPublicKey
- HKEY_CURRENT_USER\Software\RookPrivateKey
Rook creates a mutex named “asfgjkl878645165456fa888” to avoid running multiple occurrences at the same time. Furthermore, it will terminate Windows services and processes that are hardcoded in the binary as listed in the following table 1 and table 2:
memtas |
backup |
DefWatch |
QBIDPService |
mepacs |
GxVss |
ccEvtMgr |
Intuit.QuickBooks.FCS |
vss |
GxBlr |
ccSetMgr |
QBCFMonitorService |
sql |
GxFWD |
SavRoam |
AcrSch2Svc |
svc$ |
GxCVD |
RTVscan |
AcronisAgent |
veeam |
GxCIMgr |
QBFCService |
CASAD2DWebSvc |
CAARCUpdateSvc |
|
|
|
Table 1: List of services to be terminate
Rook has a list of files and folders to exclude from encryption as shown in Table 3.
Mozilla Firefox
|
bootmgr
|
ntuser.ini
|
Tor Browser
|
$Recycle.Bin
|
bootmgr.efi
|
thumbs.db
|
Internet Explorer
|
ProgramData
|
bootmgfw.efi
|
Program Files
|
Google
|
All Users
|
desktop.ini
|
Program Files (x86)
|
Opera
|
autorun.inf
|
iconcache.db
|
AppData
|
Opera Software
|
boot.ini
|
ntldr
|
Boot
|
Mozilla
|
bootfont.bin
|
ntuser.dat
|
Windows
|
#recycle
|
bootsect.bak
|
ntuser.dat.log
|
Windows.old
|
|
Table 3: List of files and folders to avoid encryption
Customer Protection
Rook Ransomware is blocked and detected by existing policies within VMware Carbon Black products. To learn more about further ransomware behaviour, detection and protection capabilities within the VMware Carbon Black suite of products against Rook Ransomware, you may refer to the following blog post:
TAU-TIN - Ransomware Threats
Indicators of Compromise (IOCs)
Indicator
|
Type
|
Context
|
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789
|
SHA256
|
Rook Ransomware
|
104d9e31e34ba8517f701552594f1fc167550964
|
SHA1
|
Rook Ransomware
|
bec9b3480934ce3d30c25e1272f60d02
|
MD5
|
Rook Ransomware
|
Table 4. Indicator of compromise
About TAU-TIN
TAU-TIN (Threat Analysis Unit - Threat Intelligence Notification) is a report by Carbon Black's TAU (Threat Analysis Unit) to help customers detect and prevent emerging threats.
To receive future notifications, navigate to the TAU-TIN label on UeX and then click Subscribe.