Threat Profile
| Characteristic | Details |
|---|---|
| Malware Family | Rook (Babuk variant) |
| Threat Type | Ransomware (file encryption) |
| Platform | Windows (PE executable) |
| File Type | Windows PE32/PE32+ executable |
| File Extension Applied | .Rook (appended to original filename) |
| Ransom Note Filename | HowToRestoreYourFiles.txt |
| First Observed | 2021 (Babuk lineage); Rook variant 2021-2022 |
| Distribution Method | RDP exploitation, phishing emails, exploit kits |
| Encryption Algorithm | Hybrid encryption (typical for Babuk derivatives) |
| Data Exfiltration | Typical for this family (double extortion) |
| Target Audience | Small-to-medium businesses, individual users |
| Active Threat Status | Documented campaigns through 2022-2023 |
How It Spreads
Rook typically enters systems through methods that exploit either technical vulnerabilities or human error. Because it's derived from Babuk—a ransomware family known for targeting businesses—the distribution tactics reflect a more deliberate, calculated approach than simple "spray and pray" malware campaigns. The most common entry point we see in our shop is compromised Remote Desktop Protocol (RDP) connections. Many small businesses and home users leave RDP enabled with weak passwords or default credentials, creating an open door for attackers who systematically scan IP ranges looking for vulnerable systems. Once inside via RDP, the attackers deploy Rook manually, often disabling security software first and mapping network drives to maximize damage. Phishing emails remain another reliable vector. These aren't the obvious Nigerian prince scams—modern ransomware operators craft convincing messages that appear to come from shipping companies, tax authorities, or business partners. The attached file might look like an invoice PDF or a shipping manifest, but it's actually an executable that downloads and runs the Rook payload. Other observed distribution methods include: - **Exploit kits** leveraging unpatched vulnerabilities in browsers, Java, or Adobe products - **Malicious downloads** disguised as software cracks, key generators, or "free" premium applications - **Drive-by downloads** from compromised legitimate websites - **Network propagation** after initial infection on one machine in a business environment - **Software supply chain attacks** through compromised updates or bundled installersWhat It Does On Your Machine
Once executed, Rook moves quickly. The malware first performs reconnaissance, inventorying your drives and network shares to determine what files are available for encryption. It specifically targets document formats, images, databases, and backups—the files you actually care about—while avoiding system files necessary for Windows to boot (the attackers need you to be able to see the ransom note, after all). The encryption process is devastating and thorough. Rook renames every targeted file by appending ".Rook" to the existing filename, so "QuarterlyReport.xlsx" becomes "QuarterlyReport.xlsx.Rook" and "FamilyPhotos.jpg" becomes "FamilyPhotos.jpg.Rook." The files themselves are encrypted using strong cryptographic algorithms inherited from its Babuk ancestry, making decryption without the key effectively impossible with current technology. During encryption, you might notice your computer slowing down significantly as the malware consumes CPU resources processing thousands of files. After encryption completes, Rook deposits its ransom note—"HowToRestoreYourFiles.txt"—in every folder containing encrypted files and often on the desktop. This note contains instructions for contacting the attackers (usually through a Tor-based website or encrypted email), proof that they can decrypt your files (often with a small sample), and payment demands typically ranging from hundreds to thousands of dollars in Bitcoin or other cryptocurrency.Manual Removal — Step by Step
Disconnect Immediately
Unplug your network cable or disable Wi-Fi before proceeding. If Rook is still actively encrypting files, cutting network access can sometimes halt the process. For business environments, isolate the infected machine from the entire network to prevent spread to other computers and servers.
Boot Into Safe Mode With Networking
Restart your computer and repeatedly press F8 (or Shift+F8 on newer systems) during boot to access Advanced Boot Options. Select "Safe Mode with Networking." This loads Windows with minimal drivers and services, preventing most malware—including Rook—from launching automatically while still allowing you to download removal tools.
Run a Complete System Scan
Download and run Malwarebytes or ESET Online Scanner from a clean computer, transferring the installer via USB drive. Perform a full system scan, not a quick scan. The goal here is to remove the Rook executable and any associated malware that may have been bundled with it—ransomware often arrives with backdoors, keyloggers, or other secondary infections.
Check Startup Programs and Scheduled Tasks
Open Task Manager (Ctrl+Shift+Esc), navigate to the Startup tab, and disable any unfamiliar entries. Then open Task Scheduler (search for it in the Start menu) and review scheduled tasks for suspicious entries, particularly those pointing to locations like C:\ProgramData, C:\Users\Public, or temporary folders. Delete any tasks associated with random executable names or created on the date of infection.
Search for the Ransom Note and Executable
Use Windows Search to find all instances of "HowToRestoreYourFiles.txt"—this tells you which folders were affected. Note these locations. Then search for recently created .exe files in common malware hiding spots: %TEMP%, %APPDATA%, %LOCALAPPDATA%, and C:\ProgramData. Delete the ransom notes and any suspicious executables found, but understand this doesn't decrypt your files.
Check for Decryption Tools
Visit the No More Ransom project website (nomoreransom.org) and Emsisoft's decryption tools page. While a free decryptor for Rook specifically is unlikely (the encryption is strong), it's worth checking. For Babuk variants, occasional decryption keys have been released when law enforcement seized servers or attackers made mistakes. This is a long shot but costs nothing to verify.
Attempt Recovery From Backups
If you have external backups that weren't connected during the infection, now is the time to use them. Check cloud storage services (Dropbox, OneDrive, Google Drive) for version history—many retain previous versions of files for 30 days. For local backups, verify they aren't also encrypted before attempting restoration. Never restore from backup while the infection is still present.
Clean Registry Entries
Open Registry Editor (regedit.exe) and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Look for suspicious entries added on or around the infection date, particularly those with random names or pointing to unusual file paths. Delete them carefully—editing the registry incorrectly can cause Windows stability issues.
Verify Complete Removal
Restart normally (not in Safe Mode) and run another full scan with a different security tool—use Windows Defender if you used Malwarebytes previously, or vice versa. Different engines catch different things. Monitor system behavior for 24-48 hours. Check Task Manager regularly for unusual processes and watch network activity for unexpected outbound connections.
Change All Passwords
Assume any credentials entered on the infected machine were compromised. Change passwords for email, banking, social media, and especially for any administrative or RDP accounts. Do this from a known-clean device. Enable two-factor authentication wherever available. If Rook was deployed via RDP compromise, immediately disable RDP or move it to a non-standard port behind a VPN.
Prevention
The most effective defense against Rook and similar ransomware is a layered approach that addresses both technical vulnerabilities and user behavior:- Maintain offline backups using the 3-2-1 rule: Keep three copies of your data on two different media types, with one copy stored offsite or offline. External hard drives should be disconnected after backup completion. Cloud backups alone aren't sufficient—ransomware increasingly targets cloud-synchronized folders. Test restoration regularly to verify backup integrity.
- Keep Windows and all software updated: Enable automatic updates for Windows, browsers, Java, Adobe products, and all installed applications. Many ransomware campaigns exploit known vulnerabilities for which patches have been available for months or years. The WannaCry outbreak proved that outdated systems are sitting ducks.
- Secure or disable Remote Desktop Protocol: If you don't actively use RDP, disable it entirely through Windows Settings. If you need it, never expose it directly to the internet—use a VPN for remote access instead, implement account lockout policies after failed login attempts, require strong passwords (15+ characters), and enable Network Level Authentication.
- Deploy reputable endpoint protection: Install commercial antivirus/anti-malware software that includes behavioral detection and ransomware-specific protection features. Windows Defender has improved substantially but may not be sufficient for business environments. Configure real-time protection and schedule regular full scans.
- Implement email filtering and user training: Use email security solutions that scan attachments and links. Train everyone who uses your computers to recognize phishing attempts—be suspicious of unexpected attachments, verify sender addresses carefully, and never enable macros in Office documents from unknown sources.
- Restrict user permissions: Run daily activities under standard user accounts, not administrator accounts. Ransomware executed by a limited user account causes less damage than when run with administrative privileges. Create a separate admin account for installing software and making system changes.
- Enable controlled folder access in Windows: Windows 10 and 11 include a feature called Controlled Folder Access that prevents unauthorized applications from modifying files in protected folders. Enable this through Windows Security settings and add your important data folders to the protected list.
- Monitor network traffic and use firewalls: Configure Windows Firewall to block unnecessary inbound connections. For businesses, consider network monitoring solutions that detect unusual outbound traffic patterns—ransomware often communicates with command-and-control servers before encryption begins, providing a brief window for intervention.