Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New Rook Ransomware borrows code from Babuk

Recently launched ransomware operation, named Rook, made headlines for its announcement claiming a desperate need a lot of money. A new ransomware operation named Rook appeared in the threat landscape, it was first reported by researcher Zach Allen and caught the attention of the experts for its blatant announcement that claims a desperate need to […]

rook ransomware

Recently launched ransomware operation, named Rook, made headlines for its announcement claiming a desperate need a lot of money.

A new ransomware operation named Rook appeared in the threat landscape, it was first reported by researcher Zach Allen and caught the attention of the experts for its blatant announcement that claims a desperate need to make “a lot of money” by breaching corporate networks.

On November 30th, Rook ransomware gang published the name of the first victim, a Kazkh financial institution, on its leak site.

Researchers at SentinelLabs analyzed the malware and noticed significant overlaps with the Babuk ransomware.

The attack chain starts with phishing messages, experts also reported attacks leveraging third-party framework, such as Cobalt Strike, to drop the malware.

The malware is packed with UPX although researchers also observed the use of crypters to avoid detection.

Upon execution, the Rook ransomware attempts to terminate processes related to security software or other application that could interfere with the encryption process. Like other ransomware families, Rook will also attempt to delete volume shadow copies to prevent victims from restoring from backup without paying the ransom.

“The ransomware attempts to terminate any process that may interfere with encryption. Interestingly, we see the kph.sys driver from Process Hacker come into play in process termination in some cases but not others. This likely reflects the attacker’s need to leverage the driver to disable certain local security solutions on specific engagements.” reads the post published by the analysis published by SentinelLabs.

Early variants of Rook ransomware appends a .TOWER extension, while all current variants use the .ROOK extension.

The samples analyzed by the researchers don’t implement any persistence mechanisms. Experts noticed numerous code similarities between Rook and Babuk, which had its its source code leaked on a hacking forum in September 2021.

“Babuk and Rook use EnumDependentServicesA API to retrieve the name and status of each service that depends on the specified service before terminating. They enumerate all services in the system and stop all of those which exist in a hardcoded list in the malware. Using OpenSCManagerA API, the code gets the Service Control Manager, gets the handle and then enumerates all services in the system.” continues the analysis. “In addition, both Rook and Babuk use the functions CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, OpenProcess, and TerminateProcess to enumerate running processes and kill any found to match those in a hardcoded list.”

Researchers also noted an overlap with regards to some of the environmental checks implemented by the ransomware to avoid being analyzed.

Researchers also published Indicators of Compromise (IoCs) for the new threat.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Rook ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]