{ "id": "8faec10b-117e-465a-a0da-c307f5b348da", "created_at": "2026-04-06T00:21:02.669597Z", "updated_at": "2026-04-10T03:30:32.768747Z", "deleted_at": null, "sha1_hash": "2f84ced0d71f6f13a6407cebf66f3482e9a365bb", "title": "New Rook Ransomware Feeds Off the Code of Babuk", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3428933, "plain_text": "New Rook Ransomware Feeds Off the Code of Babuk\r\nBy Jim Walter\r\nPublished: 2021-12-23 · Archived: 2026-04-02 12:09:52 UTC\r\nBy Jim Walter and Niranjan Jayanand\r\nFirst noticed on VirusTotal on November 26th by researcher Zack Allen, Rook Ransomware initially attracted\r\nattention for the operators’ rather unorthodox self-introduction, which stated that “We desperately need a lot of\r\nmoney” and “We will stare at the internet”.\r\nhttps://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/\r\nPage 1 of 13\n\nThese odd pronouncements prompted some mirth on social media, but they were followed a few days later by\r\nmore serious news. On November 30th, Rook claimed its first victim: a Kazkh financial institution from which the\r\nRook operators had stolen 1123 GB of data, according to the gang’s victim website. Further victims have been\r\nclaimed since then.\r\nIn this post, we offer the first technical write up of the Rook ransomware family, covering both its main high-level\r\nfeatures and its ties to the Babuk codebase.\r\nTechnical Details\r\nRook ransomware is primarily delivered via a third-party framework, for example Cobalt Strike; however,\r\ndelivery via phishing email has also been reported in the wild.\r\nIndividual samples are typically UPX packed, although alternate packers/crypters have been observed such as\r\nVMProtect.\r\nUpon execution, Rook samples pop a command window, with differing output displayed. For example, some\r\nversions show the output path for kph.sys (a component of Process Hacker), while others display inaccurate\r\ninformation around the use of ADS (Alternate Data Streams).\r\nFalse ADS message\r\nRook dropping kph.sys\r\nThe ransomware attempts to terminate any process that may interfere with encryption. Interestingly, we see the\r\nkph.sys driver from Process Hacker come into play in process termination in some cases but not others. This\r\nlikely reflects the attacker’s need to leverage the driver to disable certain local security solutions on specific\r\nengagements.\r\nhttps://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/\r\nPage 2 of 13\n\nThere are numerous process names, service names and folder names included in each sample’s configuration. For\r\nexample, in sample 19CE538B2597DA454ABF835CFF676C28B8EB66F7 , the following processes, services and folders\r\nare excluded from the encryption process:\r\nProcesses names skipped:\r\nsql.exe\r\noracle.exe\r\nocssd.exe\r\ndbsnmp.exe\r\nvisio.exe\r\nwinword.exe\r\nwordpad.exe\r\nnotepad.exe\r\nexcel.exe\r\nonenote.exe\r\noutlook.exe\r\nsynctime.exe\r\nagntsvc.exe\r\nisqlplussvc.exe\r\nxfssvccon.exe\r\nmydesktopservice.exe\r\nocautoupds.exe\r\nencsvc.exe\r\nfirefox.exe\r\ntbirdconfig.exe\r\nmydesktopqos.exe\r\nocomm.exe\r\ndbeng50.exe\r\nsqbcoreservice.exe\r\ninfopath.exe\r\nmsaccess.exe\r\nmspub.exe\r\npowerpnt.exe\r\nsteam.exe\r\nthebat.exe\r\nthunderbird.exe\r\nService names terminated:\r\nmemtas\r\nmepocs\r\nveeam\r\nbackup\r\nGxVss\r\nGxBlr\r\nhttps://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/\r\nPage 3 of 13\n\nGxFWD\r\nGxCVD\r\nGxCIMgr\r\nDefWatch\r\nccEvtMgr\r\nccSetMgr\r\nSavRoam\r\nRTVscan\r\nQBFCService\r\nQBIDPService\r\nIntuit.QuickBooks.FCS\r\nQBCFMonitorService\r\nAcrSch2Svc\r\nAcronisAgent\r\nCASAD2DWebSvc\r\nCAARCUpdateSvc\r\nFolders names skipped:\r\nProgram Files\r\nProgram Files (x86)\r\nAppData\r\nWindows\r\nWindows.old\r\nTor Browser\r\nInternet Explorer\r\nGoogle\r\nOpera\r\nOpera Software\r\nMozilla\r\nFile names skipped:\r\nautorun.inf\r\nboot.ini\r\nbootfont.bin\r\nbootsect.bak\r\nbootmgr\r\nbootmgr.efi\r\nbootmgfw.efi\r\ndesktop.ini\r\niconcache.db\r\nntldr\r\nntuser.dat\r\nntuser.dat.log\r\nhttps://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/\r\nPage 4 of 13\n\nntuser.ini\r\nthumbs.db\r\nAs with most modern ransomware families, Rook will also attempt to delete volume shadow copies to prevent\r\nvictims from restoring from backup. This is achieved via vssadmin.exe .\r\nRook \u0026 vssadmin.exe as seen in SentinelOne console\r\nThe following syntax is used:\r\nvssadmin.exe delete shadows /all /quiet\r\nEarly variants of Rook were reported to have used a .TOWER extension. All current variants seen by SentinelLabs\r\nuse the .ROOK extension.\r\n.ROOK extension on affected files\r\nIn the samples we analyzed, no persistence mechanisms were observed, and after the malware runs through its\r\nexecution, it cleans up by deleting itself.\r\nBabuk Overlaps\r\nThere are a number of code similarities between Rook and Babuk. Based on the samples available so far, this\r\nappears to be an opportunistic result of the various Babuk source-code leaks we have seen over 2021, including\r\nhttps://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/\r\nPage 5 of 13\n\nleaks of both the compiled builders as well as the actual source. On this basis, we surmise that Rook is just the\r\nlatest example of an apparent novel ransomware capitalizing on the ready availability of Babuk source-code.\r\nBabuk and Rook use EnumDependentServicesA API to retrieve the name and status of each service that depends\r\non the specified service before terminating. They enumerate all services in the system and stop all of those which\r\nexist in a hardcoded list in the malware. Using OpenSCManagerA API, the code gets the Service Control Manager,\r\ngets the handle and then enumerates all services in the system.\r\nRook enumerates all services\r\nhttps://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/\r\nPage 6 of 13\n\nVeeam\r\nBackup\r\nGxVss\r\nGxBlr\r\nGxFWD\r\nGxCVD\r\nGXCIMgr\r\nDefWatch\r\nccEvtMgr\r\nccSetMgr\r\nSavRoam\r\nRTVscan\r\nQBFCService\r\nQBIDPService\r\nIntuit.QuickBooks.FCS\r\nQBFCMonitorService\r\nYooBAckup\r\nYooIT\r\nZhudongfangyu\r\nSophos\r\nStc_raw_agent\r\nVSNAPVSS\r\nVeeamTransportSvc\r\nVeeamDeploymentService\r\nVeeamNFSSvc\r\nVeeam\r\nPDVFSService\r\nBackupExecVSSProvider\r\nBackupExecAgentAccelerator\r\nBackupExecAgentBrowser\r\nBackupExecDiveciMediaService\r\nBackupExecJobEngine\r\nBackupExecManagementService\r\nBackupExecRPCServiceAcrSch25vc\r\nAcronisAgent\r\nCASAD2DWebSvc\r\nCAARCUpdateSvc\r\nhttps://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/\r\nPage 7 of 13\n\nRook service termination\r\nIn addition, both Rook and Babuk use the functions CreateToolhelp32Snapshot , Process32FirstW ,\r\nProcess32NextW , OpenProcess , and TerminateProcess to enumerate running processes and kill any found to\r\nmatch those in a hardcoded list.\r\nhttps://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/\r\nPage 8 of 13\n\nBabuk and Rook share the same process exclusion list\r\nAlso similar is the use of the Windows Restart Manager API to aid with process termination, which includes\r\nprocesses related to MS Office products and the popular gaming platform Steam.\r\nBabuk Process termination\r\nWe also noted overlap with regards to some of the environmental checks and subsequent behaviors, including the\r\nremoval of Volume Shadow Copies.\r\nBoth Babuk and Rook check if the sample is executed in a 64-bit OS, then delete the shadow volumes of the user\r\nmachine. The code flows to Wow64DisableWow64FsRedirection to disable file system redirection before calling\r\nShellExecuteW to delete shadow copies.\r\nBabuk VSS deletion (similar to Rook)\r\nhttps://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/\r\nPage 9 of 13\n\nBabuk and Rook implement similar code for enumerating local drives. Rook checks for the local drives\r\nalphabetically as shown below.\r\nEnumerating local drives\r\nThe Rook Victim Website\r\nLike other recent ransomware varieties, Rook embraces a dual-pronged extortion approach: an initial demand for\r\npayment to unlock encrypted files, followed by public threats via the operators’ website to leak exfiltrated data\r\nshould the victim fail to comply with the ransom demand.\r\nhttps://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/\r\nPage 10 of 13\n\nRook’s welcome message (TOR-based website)\r\nThis TOR-based site is used to name victims and host any data should the victim decide not to cooperate. Rook\r\nalso uses the site to openly boast of having the “latest vulnerability database” and “we can always penetrate the\r\ntarget system” as well as their desire for success: “We desperately need a lot of money”.\r\nThese statements appear under the heading of “why us?” and could be intended to attract affiliates as well as\r\nconvince victims that they mean business.\r\nAbout Rook (TOR-based website)\r\nAt the time of writing, three companies have been listed on the Rook blog, spanning different industries.\r\nhttps://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/\r\nPage 11 of 13\n\nExpanded victim data\r\nConclusion\r\nGiven the economics of ransomware – high reward for low risk – and the ready availability of source code from\r\nleaks like Babuk, it’s inevitable that the proliferation of new ransomware groups we’re seeing now is only going\r\nto continue. Rook may be here today and gone tomorrow, or it could stick around until the actors behind it decide\r\nthey’ve had enough (or made enough), but what is certain is that Rook won’t be the last malware we see feeding\r\noff the leaked Babuk code.\r\nAdd that to the incentive provided by recent vulnerabilities such as log4j2 that can allow initial access without\r\ngreat technical skill, and enterprise security teams have a recipe for a busy year ahead. Prevention is critical, along\r\nwith well-documented and tested DRP and BCP procedures. All SentinelOne customers are protected from Rook\r\nransomware.\r\nIndicators of Compromise\r\nhttps://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/\r\nPage 12 of 13\n\nSHA1\r\n104d9e31e34ba8517f701552594f1fc167550964\r\n19ce538b2597da454abf835cff676c28b8eb66f7\r\n36de7997949ac3b9b456023fb072b9a8cd84ade8\r\nSHA256\r\nf87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789\r\nc2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac\r\n96f7df1c984c1753289600f7f373f3a98a4f09f82acc1be8ecfd5790763a355b\r\nMITRE ATT\u0026CK\r\nT1027.002 – Obfuscated Files or Information: Software Packing\r\nT1007 – System Service Discovery\r\nT1059 – Command and Scripting Interpreter\r\nTA0010 – Exfiltration\r\nT1082 – System Information Discovery\r\nT1490 – Inhibit System Recovery\r\nSource: https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/\r\nhttps://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/" ], "report_names": [ "new-rook-ransomware-feeds-off-the-code-of-babuk" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434862, "ts_updated_at": 1775791832, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2f84ced0d71f6f13a6407cebf66f3482e9a365bb.pdf", "text": "https://archive.orkl.eu/2f84ced0d71f6f13a6407cebf66f3482e9a365bb.txt", "img": "https://archive.orkl.eu/2f84ced0d71f6f13a6407cebf66f3482e9a365bb.jpg" } }