"Organizations Targeted With Babuk-Based Rook Ransomware"

Security researchers have found a new ransomware variant dubbed Rook.  Rook shows numerous similarities with Babuk, and security researchers have discovered that it was built using Babuk code that was leaked online earlier this year.  Rook was initially seen on VirusTotal on November 26, and its first victim was identified on November 30.  Rook was first used on a financial institution, where the ransomware encrypted the organization’s files, and the Rook gang stole roughly one terabyte of data to use it for extortion.  Security researchers stated that the ransomware is being distributed via a third-party framework, such as Cobalt Strike, but phishing emails carrying Rook have also been observed.  Once executed on the victim’s machine, the malware attempts to terminate all processes that may impede the encryption process.  The attackers also attempt to disable security products and delete volume shadow copies to prevent victims from recovering their data.  During the encryption, the ransomware appends the .ROOK extension to the encrypted files and, once the process has been completed, it deletes itself from the machine.  Rook’s operators engage in double-extortion, threatening victims to make stolen data public unless a ransom is paid in exchange for a decryption tool.  On their website on the Tor network, the gang has already listed three victim companies and data stolen from those that proved uncooperative.

SecurityWeek reports: "Organizations Targeted With Babuk-Based Rook Ransomware"