Rook, the latest kid on the block for ransomware operations, first appeared on VirusTotal on 26 November 2021. Since its discovery, Rook has claimed its victims across verticals like Banking, Finance, Technology and Aerospace and they have been announced on their TOR site. Like most ransomware operations, Rook utilizes a ‘double extortion’ approach to force its victims into payment. The stolen data is then displayed as proof of compromise, with accompanying information on the total amount of data stolen.
(Rook Tor Site)
(Victim’s compromised data is displayed on the TOR site)
Analyzing RookWhen executed, Rook encrypts all files, deletes backups via vssadmin.exe and removes itself from the compromised machine. It then leaves a ransom note.
(Rook ransom note)
Rook’s ransom notes state that compromised victims should contact the group within 3 days for the ransom amount to be subject to a “50% discount”. However, if this condition is not met, the company’s files will be leaked onto their onion network. Contact to the Rook team can be established via e-mail (rook@onionmail.org; securityRook@onionmail.org) or via the TOR browser link. The group also warns that should external help via software or third party assistance be used for decryption and restoration, the private key may be damaged, which would consequently lead to a total loss of data.
Running the attackUpon the execution of the Rook ransomware, IBM Security ReaQta autonomously reconstructed the breach, providing complete visibility across attacker tactics and techniques.
ReaQta’s Behavioural Tree showing the Rook ransomware
The behavioral tree maps all processes and behaviors involved in the infection to MITRE ATT&CK Tactics and Techniques framework. Rook ransomware also uses the vssadmin.exe delete shadows/all/quiet command to delete shadow backup volume, much like what we have seen from Babuk and Avaddon. While some threat actors do focus on restoration prevention, ReaQta provides additional layered defense via a unique feature called Detection Strategies (DeStra) on the detections on the misuse of wmic.exe and vssadmin.exe.
(Rook is automatically stopped by ReaQta within seconds)
Within seconds of the infection, ReaQta was effectively able to prevent costly and tiresome business interruptions. Aside from just stopping the threat, ReaQta’s AI algorithms automatically terminated all malicious processes involved in the incident. The vassadmin.exe process was also automatically terminated once the threat was neutralized. Thereafter, ReaQta closed off the alert, reducing extra actions needed to be taken by the security team.
Cyber threats will only continue to rise globally, given that the returns on investment of such ransomware attacks has unfortunately been proven. The aftermath of such infections remain alarming as an organizations ‘crown jewels’ are seized, and sensitive data is encrypted.
By default, all applications and platforms should be built with security in mind. This includes having security design in the organization’s processes in order to protect both the company and consumers’ data.
Organizations should also conduct checks: Are the security solutions that they are utilizing able to keep up with the pace of threats today? Are employees in the know about potential threats that they encounter?
IBM Security ReaQta’s customers stay protected from threats like Rook.
To learn more about how organizations can stay safe against unknown threats like ransomware, learn more
here.