Rook is a ransomware variant that emerged as an updated version of the notorious Babuk malware family. This threat encrypts files on infected Windows machines, appends the ".Rook" extension to filenames, and leaves ransom notes demanding payment for decryption. Unlike opportunistic malware that simply steals data or serves ads, Rook is designed with one purpose: holding your files hostage until you pay, making it one of the more destructive threats facing home users and small businesses today.
If you suspect Rook is encrypting your files right now: Immediately disconnect your computer from the internet and power it down. Do NOT pay the ransom. Call us at (770) 674-6998 or bring your machine to our Roswell shop immediately. Acting within the first few hours can sometimes prevent full encryption and preserve recovery options.

Threat Profile

Characteristic Details
Malware Family Rook (Babuk variant)
Threat Type Ransomware (file encryption)
Platform Windows (PE executable)
File Type Windows PE32/PE32+ executable
File Extension Applied .Rook (appended to original filename)
Ransom Note Filename HowToRestoreYourFiles.txt
First Observed 2021 (Babuk lineage); Rook variant 2021-2022
Distribution Method RDP exploitation, phishing emails, exploit kits
Encryption Algorithm Hybrid encryption (typical for Babuk derivatives)
Data Exfiltration Typical for this family (double extortion)
Target Audience Small-to-medium businesses, individual users
Active Threat Status Documented campaigns through 2022-2023

How It Spreads

Rook typically enters systems through methods that exploit either technical vulnerabilities or human error. Because it's derived from Babuk—a ransomware family known for targeting businesses—the distribution tactics reflect a more deliberate, calculated approach than simple "spray and pray" malware campaigns. The most common entry point we see in our shop is compromised Remote Desktop Protocol (RDP) connections. Many small businesses and home users leave RDP enabled with weak passwords or default credentials, creating an open door for attackers who systematically scan IP ranges looking for vulnerable systems. Once inside via RDP, the attackers deploy Rook manually, often disabling security software first and mapping network drives to maximize damage. Phishing emails remain another reliable vector. These aren't the obvious Nigerian prince scams—modern ransomware operators craft convincing messages that appear to come from shipping companies, tax authorities, or business partners. The attached file might look like an invoice PDF or a shipping manifest, but it's actually an executable that downloads and runs the Rook payload. Other observed distribution methods include: - **Exploit kits** leveraging unpatched vulnerabilities in browsers, Java, or Adobe products - **Malicious downloads** disguised as software cracks, key generators, or "free" premium applications - **Drive-by downloads** from compromised legitimate websites - **Network propagation** after initial infection on one machine in a business environment - **Software supply chain attacks** through compromised updates or bundled installers

What It Does On Your Machine

Once executed, Rook moves quickly. The malware first performs reconnaissance, inventorying your drives and network shares to determine what files are available for encryption. It specifically targets document formats, images, databases, and backups—the files you actually care about—while avoiding system files necessary for Windows to boot (the attackers need you to be able to see the ransom note, after all). The encryption process is devastating and thorough. Rook renames every targeted file by appending ".Rook" to the existing filename, so "QuarterlyReport.xlsx" becomes "QuarterlyReport.xlsx.Rook" and "FamilyPhotos.jpg" becomes "FamilyPhotos.jpg.Rook." The files themselves are encrypted using strong cryptographic algorithms inherited from its Babuk ancestry, making decryption without the key effectively impossible with current technology. During encryption, you might notice your computer slowing down significantly as the malware consumes CPU resources processing thousands of files. After encryption completes, Rook deposits its ransom note—"HowToRestoreYourFiles.txt"—in every folder containing encrypted files and often on the desktop. This note contains instructions for contacting the attackers (usually through a Tor-based website or encrypted email), proof that they can decrypt your files (often with a small sample), and payment demands typically ranging from hundreds to thousands of dollars in Bitcoin or other cryptocurrency.
Typical Rook Activity (observed in sandbox environments): C:\Users\[Username]\Documents\Budget2023.xlsxBudget2023.xlsx.Rook C:\Users\[Username]\Pictures\Vacation.jpgVacation.jpg.Rook C:\Users\[Username]\Desktop\HowToRestoreYourFiles.txt # Ransom note dropped C:\ProgramData\[random].exe # Payload location varies Registry modifications: HKCU\Software\Microsoft\Windows\CurrentVersion\Run # Persistence mechanisms Process termination: vssadmin.exe delete shadows /all /quiet # Deletes Volume Shadow Copies
Many Rook variants also delete Windows Volume Shadow Copies—the restore points Windows creates automatically—using the Volume Shadow Copy Service administrative tool. This command (vssadmin delete shadows /all /quiet) runs silently in the background, eliminating one of the easiest recovery options users might otherwise have. Some versions also attempt to spread laterally across network shares, encrypting files on mapped drives and shared folders accessible from the infected machine.

Manual Removal — Step by Step

01

Disconnect Immediately

Unplug your network cable or disable Wi-Fi before proceeding. If Rook is still actively encrypting files, cutting network access can sometimes halt the process. For business environments, isolate the infected machine from the entire network to prevent spread to other computers and servers.

Rook — cybersecurity illustration
Photo by Miguel Á. Padriñán on Pexels
02

Boot Into Safe Mode With Networking

Restart your computer and repeatedly press F8 (or Shift+F8 on newer systems) during boot to access Advanced Boot Options. Select "Safe Mode with Networking." This loads Windows with minimal drivers and services, preventing most malware—including Rook—from launching automatically while still allowing you to download removal tools.

03

Run a Complete System Scan

Download and run Malwarebytes or ESET Online Scanner from a clean computer, transferring the installer via USB drive. Perform a full system scan, not a quick scan. The goal here is to remove the Rook executable and any associated malware that may have been bundled with it—ransomware often arrives with backdoors, keyloggers, or other secondary infections.

04

Check Startup Programs and Scheduled Tasks

Open Task Manager (Ctrl+Shift+Esc), navigate to the Startup tab, and disable any unfamiliar entries. Then open Task Scheduler (search for it in the Start menu) and review scheduled tasks for suspicious entries, particularly those pointing to locations like C:\ProgramData, C:\Users\Public, or temporary folders. Delete any tasks associated with random executable names or created on the date of infection.

05

Search for the Ransom Note and Executable

Use Windows Search to find all instances of "HowToRestoreYourFiles.txt"—this tells you which folders were affected. Note these locations. Then search for recently created .exe files in common malware hiding spots: %TEMP%, %APPDATA%, %LOCALAPPDATA%, and C:\ProgramData. Delete the ransom notes and any suspicious executables found, but understand this doesn't decrypt your files.

06

Check for Decryption Tools

Visit the No More Ransom project website (nomoreransom.org) and Emsisoft's decryption tools page. While a free decryptor for Rook specifically is unlikely (the encryption is strong), it's worth checking. For Babuk variants, occasional decryption keys have been released when law enforcement seized servers or attackers made mistakes. This is a long shot but costs nothing to verify.

07

Attempt Recovery From Backups

If you have external backups that weren't connected during the infection, now is the time to use them. Check cloud storage services (Dropbox, OneDrive, Google Drive) for version history—many retain previous versions of files for 30 days. For local backups, verify they aren't also encrypted before attempting restoration. Never restore from backup while the infection is still present.

08

Clean Registry Entries

Open Registry Editor (regedit.exe) and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Look for suspicious entries added on or around the infection date, particularly those with random names or pointing to unusual file paths. Delete them carefully—editing the registry incorrectly can cause Windows stability issues.

09

Verify Complete Removal

Restart normally (not in Safe Mode) and run another full scan with a different security tool—use Windows Defender if you used Malwarebytes previously, or vice versa. Different engines catch different things. Monitor system behavior for 24-48 hours. Check Task Manager regularly for unusual processes and watch network activity for unexpected outbound connections.

10

Change All Passwords

Assume any credentials entered on the infected machine were compromised. Change passwords for email, banking, social media, and especially for any administrative or RDP accounts. Do this from a known-clean device. Enable two-factor authentication wherever available. If Rook was deployed via RDP compromise, immediately disable RDP or move it to a non-standard port behind a VPN.

Prevention

The most effective defense against Rook and similar ransomware is a layered approach that addresses both technical vulnerabilities and user behavior:
  1. Maintain offline backups using the 3-2-1 rule: Keep three copies of your data on two different media types, with one copy stored offsite or offline. External hard drives should be disconnected after backup completion. Cloud backups alone aren't sufficient—ransomware increasingly targets cloud-synchronized folders. Test restoration regularly to verify backup integrity.
  2. Keep Windows and all software updated: Enable automatic updates for Windows, browsers, Java, Adobe products, and all installed applications. Many ransomware campaigns exploit known vulnerabilities for which patches have been available for months or years. The WannaCry outbreak proved that outdated systems are sitting ducks.
  3. Secure or disable Remote Desktop Protocol: If you don't actively use RDP, disable it entirely through Windows Settings. If you need it, never expose it directly to the internet—use a VPN for remote access instead, implement account lockout policies after failed login attempts, require strong passwords (15+ characters), and enable Network Level Authentication.
  4. Deploy reputable endpoint protection: Install commercial antivirus/anti-malware software that includes behavioral detection and ransomware-specific protection features. Windows Defender has improved substantially but may not be sufficient for business environments. Configure real-time protection and schedule regular full scans.
  5. Implement email filtering and user training: Use email security solutions that scan attachments and links. Train everyone who uses your computers to recognize phishing attempts—be suspicious of unexpected attachments, verify sender addresses carefully, and never enable macros in Office documents from unknown sources.
  6. Restrict user permissions: Run daily activities under standard user accounts, not administrator accounts. Ransomware executed by a limited user account causes less damage than when run with administrative privileges. Create a separate admin account for installing software and making system changes.
  7. Enable controlled folder access in Windows: Windows 10 and 11 include a feature called Controlled Folder Access that prevents unauthorized applications from modifying files in protected folders. Enable this through Windows Security settings and add your important data folders to the protected list.
  8. Monitor network traffic and use firewalls: Configure Windows Firewall to block unnecessary inbound connections. For businesses, consider network monitoring solutions that detect unusual outbound traffic patterns—ransomware often communicates with command-and-control servers before encryption begins, providing a brief window for intervention.
Our 90-Day Warranty: When Computer Repair Roswell removes ransomware from your machine, we guarantee our work. If the same infection returns within 90 days through no fault of your own, we'll re-clean your system at no additional charge. We also provide detailed documentation of what we found and removed, plus personalized recommendations to prevent reinfection.

Bring It In

Dealing with Rook ransomware is stressful, and the technical steps outlined above can be overwhelming—especially when you're facing the loss of years of family photos, business records, or irreplaceable documents. While some users succeed with manual removal, ransomware recovery often requires specialized tools, experience with file system forensics, and knowledge of what recovery options exist for specific malware variants. At Computer Repair Roswell, we've handled hundreds of ransomware cases. We maintain relationships with data recovery specialists for severe cases, stay current on newly released decryption tools, and can often recover files from Volume Shadow Copies even when the malware attempted deletion. We'll never recommend paying the ransom (which often doesn't result in decryption anyway), but we will explore every legitimate recovery option available. Call us at **(770) 674-6998** or visit our shop at 1000 Mansell Road in Roswell. We're open Monday through Saturday, and we understand that when ransomware strikes, every hour counts. Bring your machine in today—we'll assess the situation honestly, explain your options clearly, and work to recover what we can while ensuring the infection doesn't spread or return.