Rook dropping kph.sys
ransomware attempts to terminate any process that may
interfere with encryption. Interestingly, we see the
kph.sys driver from Process Hacker come into play in
process termination in some cases but not others. This
likely reflects the attacker’s need to leverage the driver
to disable certain local security solutions on specific
are numerous process names, service names and folder names
included in each sample’s configuration. For example, in
the following processes, services and folders are excluded
from the encryption process:
Processes names skipped:
Service names terminated:
Folders names skipped:
Program Files (x86)
most modern ransomware families, Rook will also attempt to
delete volume shadow copies to prevent victims from
restoring from backup. This is achieved via
Rook & vssadmin.exe as seen in
The following syntax is used:
vssadmin.exe delete shadows /all /quiet
variants of Rook were reported to have used a
extension. All current variants seen by SentinelLabs use the
on affected files
samples we analyzed, no persistence mechanisms were
observed, and after the malware runs through its execution,
it cleans up by deleting itself.
are a number of code similarities between Rook and Babuk.
Based on the samples available so far, this appears to be an
opportunistic result of the various Babuk source-code leaks
we have seen over 2021, including leaks of both the compiled
builders as well as the actual source. On this basis, we
surmise that Rook is just the latest example of an apparent
novel ransomware capitalizing on the ready availability of
and Rook use
EnumDependentServicesA API to
retrieve the name and status of each service that depends on
the specified service before terminating. They enumerate all
services in the system and stop all of those which exist in
a hardcoded list in the malware. Using
API, the code gets the Service Control Manager, gets the
handle and then enumerates all services in the system.
Rook enumerates all services
Rook service termination
addition, both Rook and Babuk use the functions
to enumerate running processes
and kill any found to match those in a hardcoded list.
Babuk and Rook share the same
process exclusion list
similar is the use of the Windows Restart Manager API to aid
with process termination, which includes processes related
to MS Office products and the popular gaming platform Steam.
Babuk Process termination
noted overlap with regards to some of the environmental
checks and subsequent behaviors, including the removal of
Volume Shadow Copies.
Babuk and Rook check if the sample is executed in a 64-bit
OS, then delete the shadow volumes of the user machine. The
code flows to
disable file system redirection before calling
ShellExecuteW to delete shadow copies.
Babuk VSS deletion (similar to
and Rook implement similar code for enumerating local
drives. Rook checks for the local drives alphabetically as
Enumerating local drives
Rook Victim Website
other recent ransomware varieties, Rook embraces a
dual-pronged extortion approach: an initial demand for
payment to unlock encrypted files, followed by public
threats via the operators’ website to leak exfiltrated data
should the victim fail to comply with the ransom demand.
Rook’s welcome message
TOR-based site is used to name victims and host any data
should the victim decide not to cooperate. Rook also uses
the site to openly boast of having the “latest vulnerability
database” and “we can always penetrate the target system” as
well as their desire for success: “We desperately need a lot
statements appear under the heading of “why us?” and could
be intended to attract affiliates as well as convince
victims that they mean business.
About Rook (TOR-based website)
At the time of writing, three companies have been listed on
the Rook blog, spanning different industries.
Expanded victim data
ransomware – high
reward for low risk – and the ready availability of source
code from leaks like Babuk, it’s inevitable that the
proliferation of new ransomware groups we’re seeing now is
only going to continue. Rook may be here today and gone
tomorrow, or it could stick around until the actors behind
it decide they’ve had enough (or made enough), but what is
certain is that Rook won’t be the last malware we see
feeding off the leaked Babuk code.
that to the incentive provided by recent vulnerabilities
that can allow initial access without great technical skill,
and enterprise security teams have a recipe for a busy year
ahead. Prevention is critical, along with well-documented
and tested DRP and BCP procedures. All SentinelOne customers
are protected from Rook ransomware.