Get a Demo
Platform
Why SentinelOne?
Services
Partners
Resources
About
Pricing
Get a Demo
Back to Resources

SentinelOne Vs. Spook Ransomware – Kill and Quarantine

Video
SentinelOne Vs. Spook Ransomware – Kill and Quarantine

Watch how SentinelOne kills and quarantines Spook Ransomware. Spook ransomware emerged onto the scene in late September/early October 2021. The group, mirroring the manifestos of others, boasts “very strong (AES) encryption” along with the threat of leaking victim data to the public. Spook malware has the ability to encrypt target machines without requiring internet connectivity. Encryption of a full disk can occur within just a few minutes, at which point the ransom note is displayed on the desktop (RESTORE_FILES_INFO.HTA) along with numerous other system notifications.

The malware also makes a number of changes to ensure that the ransom notifications are displayed prominently after reboot (via Start Menu lnk, Reg). In addition, Spook will also attempt to terminate processes and stop services of anything that may inhibit the encryption process.
This is handled between taskill.exe and sc.exe. Additonal persistence mods are made via reg.exe and schtasks.exe.

Spook maintains a blog for ‘non-compliant’ victims. The blog was made live in early October 2021. As of this writing, there are 17 victims posted to the Spook blog, from varying industries across the globe.

Watch Now
Related Resources
Video
RSAC 2025: Join SentinelOne
Video
Is DeepSeek a Cybersecurity Threat? SentinelOne’s Alex Stamos Answers.
Video
SentinelOne and Aston Martin F1 Team
Video
LABScon24 Replay | Resilience and Protection in the Windows Ecosystem | Weston & Zetter

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform harnesses the power of data and AI to protect your organization now and into the future.

Request a Demo