fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Rook Ransomware is yet Another Spawn of the lLaked Babuk Code

Rook Ransomware is yet Another Spawn of the lLaked Babuk Code

A new ransomware operation named Rook has appeared recently on the cyber-crime space, declaring a desperate need to make “a lot of money” by breaching corporate networks and encrypting devices.

Although the introductory statements on their data leak portal were marginally funny, the first victim announcements on the site have made it clear that Rook is not playing games.

Also Read: Compliance Course Singapore: Spotlight on the 3 Offerings

About Us section on Rook's leak portal
About Us section on Rook’s leak portal

Researchers at SentinelLabs have taken a deep dive into the new strain, revealing its technical details, infection chain, and how it overlaps with the Babuk ransomware.

Infection process

The Rook ransomware payload is usually delivered via Cobalt Strike, with phishing emails and shady torrent downloads being reported as the initial infection vector.

The payloads are packed with UPX or other crypters to help evade detection. When executed, the ransomware attempts to terminate processes related to security tools or anything that could interrupt the encryption.

Terminated services
Terminated services
Source: SentinelLabs

“Interestingly, we see the kph.sys driver from Process Hacker come into play in process termination in some cases but not others,” SentinelLabs explains in its report.

“This likely reflects the attacker’s need to leverage the driver to disable certain local security solutions on specific engagements.”

Volume shadow copy wiping process
Volume shadow copy wiping process
Source: SentinelLabs

Rook also uses vssadmin.exe to delete volume shadow copies, a standard tactic used by ransomware operations to prevent shadow volumes from being used to recover files.

Analysts have found no persistence mechanisms, so Rook will encrypt the files, append the “.Rook” extension and then delete itself from the compromised system.

Also Read: Considering Enterprise Risk Management Certification Singapore? Here Are 7 Best Outcomes

Files encrypted by Rook
Files encrypted by Rook
Source: SentinelLabs

Based on Babuk

SentinelLabs has found numerous code similarities between Rook and Babuk, a defunct RaaS that had its complete source code leaked on a Russian-speaking forum in September 2021.

For example, Rook uses the same API calls to retrieve the name and status of each running service and the same functions to terminate them.

Also, the list of processes and Windows services that are stopped are the same for both ransomware.

This includes the Steam gaming platform, the Microsoft Office and Outlook email client, and Mozilla Firefox and Thunderbird.

Other similarities include how the encryptor deletes shadow volume copies, uses the Windows Restart Manager API, and enumerates local drives.

Enumerating local drives alphabetically
Enumerating local drives alphabetically
Source: SentinelLabs

Due to these code similarities, Sentinel One believes that Rook is based on the leaked source code for the Babuk Ransomware operation.

Is Rook a serious threat?

While it is too soon to tell how sophisticated Rook’s attacks are, the consequences of an infection are still severe, leading to encrypted and stolen data.

The Rook data leak site currently contains two victims, a bank and an Indian aviation and aerospace specialist.

Both were added this month, so we are at an early stage in the group’s activities.

If skilled affiliates join the new RaaS, Rook could become a significant threat in the future.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us