Business Continuity Management / Disaster Recovery , Cybercrime , Cybercrime as-a-service

Rook Uses Babuk's Leaked Code in Kazakh Bank Attacks

Researchers Say Rook Won't Be the Last Ransomware Group to Feed Off Babuk's Code
Rook Uses Babuk's Leaked Code in Kazakh Bank Attacks
Snapshot from Rook ransomware group's website (Source: tweet by Zack Allen)

Jim Walter and Niranjan Jayanand, researchers at SentinelLabs - the threat intelligence arm of California-based cybersecurity firm SentinelOne - have found that a new ransomware group named Rook used the Russia-linked Babuk advanced persistent threat group's leaked source code to target Kazakhstan-based financial institutions.

See Also: The Cost of Underpreparedness to Your Business

According to a SentinelLabs' blog post, the operators of Rook ransomware claim to have stolen 1.1 terabytes of data from three financial companies, including Zhilstroysberbank, a Kazakhstan bank that provides home loans at affordable rates, according to the company's website.

The blog post says that Rook, on its Tor-based website, says: "10 GB (stolen) data will be released now, 200 GB will be released in a week, and all data will be released in two weeks." The group claims to have a large vulnerability database and boasts of its ability to always penetrate the target system. It also says: "We desperately need a lot of money," according to the post.

Rook ransomware group - victim information (Source: SentinelLabs blog)

The bank has not released a statement about the allegedly stolen data and has yet to respond to Information Security Media Group's request for confirmation.

Security researchers nd independent threat hunters who spoke with ISMG a say they are concerned that the Babuk ransomware code is up for grabs on code repositories such as GitHub. Rook, they say, will not be the last ransomware group to feed off Babuk's code and carry out successful exploits such as the recent ones in Kazakh banks.

Rook Ransomware: Babuk's Latest Spawn

The Rook ransomware variant was first discovered by threat researcher Zack Allen. Upon discovery, Allen said in a tweet that a lot of YARA rules come from the Babuk APT group.

Threat researcher Stephan Simon, who goes by the name FirehaK on GitHub, analyzed Babuk's code and confirmed that Rook is "definitely using the Babuk source." Virus Total's analysis also says that the code is a generic Babuk ransomware code.

The SentinelLabs researchers found that Rook code has the capability to attempt to terminate any process that might interfere with encryption. Rook uses vssadmin.exe - a default Windows process that can be used to delete volume shadow copies of documents. Deleting these shadow copies ensures that the target is unable to recover the data from backups.

Once Rook's malware runs through its execution, it terminates and deletes itself from the target system.

Babuk Source Code Leak Is Concerning

SentinelLabs' researchers say that with the ready availability of leaked Babuk source code, it’s "inevitable that the proliferation of new ransomware groups we’re seeing now is only going to continue."

Threat researchers from Indian cybersecurity firm CloudSEK tell ISMG that Babuk's source code leak enables Tier 2 ransomware groups to use the code available for free on GitHub on its own or as a building block to carry out targeted attacks on not just Windows systems, but on VMware machines that run on Windows and Linux servers as well.

"The Babuk threat actors were offering only initial access earlier, but they later made 1,000 live VMware instances available along with the source code with which the ransomware can be deployed. If a threat actor wants to conduct an attack at present, they are fully capable of doing so," says Darshit Ashara, associate vice president of research at CloudSEK.

Koushik Sivaraman, vice president of cyber threat intelligence at CloudSEK, tells ISMG that although large organizations have some form of detection and prevention mechanism for known ransomware, a lot of Tier 2 companies may not have those capabilities or apply patches quickly enough.

Babuk's source code, although highly capable, is not free from errors. Fabian Wosar, chief technology officer of ransomware decryption firm Emsisoft, says in a blog post that fundamental design flaws in Babuk's ransomware code - particularly in the encryption and decryption parts - could lead to permanent data loss.

How Babuk Ransomware Evades Detection

Sivaraman says that the source code's crypto-locking ability is not necessarily worrisome, but its resistance to decryption, its persistence, and its ability to evade endpoint solutions and subsequent analysis are a cause for concern.

According to Emsisoft's Wosar, Babuk reportedly uses elliptic curve cryptography for encryption, which makes it hard to break the code.

A fairly unique feature of Babuk's ransomware code is that the moment it detects a virtual environment, it auto-terminates. This, Wosar says, makes it difficult for security teams to circumnavigate the evasion measures.

Rook's VSS deletion is similar to Babuk. (Source: SentinelLabs blog)

Ransomware source code leaks are not new. Sivaraman says the trend is at least a decade old.

In August 2021, a "disgruntled" Conti ransomware APT group member reportedly leaked manuals and technical guides used by the threat group to train affiliate members.

According to Sivaraman, ransomware groups dump source codes or make their attack mechanisms public when they detect signs of federal investigators closing in.

This results in Tier 2 ransomware operators using the original source code to propagate independent targeted attacks. Now, instead of the federal government being able to pinpoint the origin of a targeted attack and link it back to a single threat actor, they have to sift through the "noise" created by multiple groups using similar attack mechanisms and pathways, he says.

The noise, Sivaraman says, allows the original threat actors to slip away, avoiding heavy penalties and jail time.


CloudSEK's Ashara says that security organizations must patch the well-known vulnerabilities exploited by Babuk threat actors and understand the ways in which the threat actors can pivot their way into organizations.

Companies must remember that Babuk ransomware code has no known decryptors that can be freely sourced, he says.

The SentinelLabs researchers advise organizations to use well-documented data recovery and business continuity plans, since leaked source code and recent vulnerabilities such as Log4j2 can allow initial access "without great technical skill."

About the Author

Soumik Ghosh

Soumik Ghosh

Former Assistant Editor, Asia

Prior to his stint at ISMG, Ghosh worked with IDG and wrote for CIO, CSO Online and Computerworld, in addition to anchoring CSO Alert, a security news bulletin. He was also a language and process trainer at [24] Ghosh has a degree in broadcast journalism from the Indian Institute of Journalism & New Media.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.