Rook

Rook is a malicious software (malware) linked to several ransomware activities, including LockFile, AtomSilo, Night Sky, and Pandora. These activities are associated with the deployment of HUI Loader, which has been used in loading Cobalt Strike Beacon. A CTU analysis revealed that these five ransomware families originate from two distinct codebases: one for LockFile and AtomSilo, and another for Rook, Night Sky, and Pandora. Interestingly, the malware shares similarities across its various forms, hinting at a common origin or developer. Additionally, a third-party report attributed the activity of these ransomware variants to a Chinese threat group known as DEV-0401. The Rook ransomware became significantly notorious after it was developed based on the leaked Babuk code towards the end of 2021. This leak led to the creation of multiple ransomware threats including Night Sky, Pandora, Cheerscrypt, AstraLocker, EXSiArgs, Rorschach, RTM Locker, and RA Group. The leaked source code has been used extensively to create new ransomware variants targeting ESXi servers, like RTM Locker and Rorschach. Sentinel Labs disclosed that following the leakage of Babuk ransomware source code, at least nine ransomware groups had employed it to extend their attack surface to Linux VMware ESXi platforms. The victims of these ransomware attacks have varied widely, with one notable case being a bank in Kazakhstan. As of mid-April, a total of 21 victims had been listed across the AtomSilo, Rook, Night Sky, and Pandora leak sites. While no direct connections have been established between the cyberattacks and nation-state groups, industry reports have uncovered state-sponsored threat actors masquerading as ransomware groups, using at least five ransomware variants — LockFile, AtomSilo, Rook, Night Sky, and Pandora — to conduct cyber espionage.