Rook

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Rook is a malicious software (malware) linked to several ransomware activities, including LockFile, AtomSilo, Night Sky, and Pandora. These activities are associated with the deployment of HUI Loader, which has been used in loading Cobalt Strike Beacon. A CTU analysis revealed that these five ransomware families originate from two distinct codebases: one for LockFile and AtomSilo, and another for Rook, Night Sky, and Pandora. Interestingly, the malware shares similarities across its various forms, hinting at a common origin or developer. Additionally, a third-party report attributed the activity of these ransomware variants to a Chinese threat group known as DEV-0401. The Rook ransomware became significantly notorious after it was developed based on the leaked Babuk code towards the end of 2021. This leak led to the creation of multiple ransomware threats including Night Sky, Pandora, Cheerscrypt, AstraLocker, EXSiArgs, Rorschach, RTM Locker, and RA Group. The leaked source code has been used extensively to create new ransomware variants targeting ESXi servers, like RTM Locker and Rorschach. Sentinel Labs disclosed that following the leakage of Babuk ransomware source code, at least nine ransomware groups had employed it to extend their attack surface to Linux VMware ESXi platforms. The victims of these ransomware attacks have varied widely, with one notable case being a bank in Kazakhstan. As of mid-April, a total of 21 victims had been listed across the AtomSilo, Rook, Night Sky, and Pandora leak sites. While no direct connections have been established between the cyberattacks and nation-state groups, industry reports have uncovered state-sponsored threat actors masquerading as ransomware groups, using at least five ransomware variants — LockFile, AtomSilo, Rook, Night Sky, and Pandora — to conduct cyber espionage.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
RTM Locker
2
RTM Locker is a recently emerged ransomware that targets enterprise systems, specifically Linux virtual machines on VMware ESXi servers. This malicious software was developed from the leaked source code of the now-defunct Babuk ransomware, which was made public by an alleged member of the Babuk grou
Rorschach
1
Rorschach, also known as BabLock, is a malware variant that has been recognized for its speed and sophistication. It is a form of ransomware that encrypts files on infected systems at an unprecedented rate, with Check Point researchers noting it as one of the fastest ransomware variants ever observe
Lockfile
1
LockFile is a type of malicious software, or malware, that has been linked to ransomware activity. This harmful program can infiltrate your system via suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold your data for ransom. Analysis of the PlugX
Atomsilo
1
AtomSilo is a type of malware that has been linked to several other ransomware families including LockFile, Rook, Night Sky, and Pandora. This connection was revealed through the analysis of Cobalt Strike Beacon samples loaded by HUI Loader. CTU analysis suggests that these five ransomware families
Night Sky
1
Night Sky is a potent form of malware that has been linked to several significant ransomware activities, including LockFile, AtomSilo, Rook, and Pandora. Analysis of the Cobalt Strike Beacon samples loaded by HUI Loader has revealed a connection between AtomSilo, Night Sky, and Pandora ransomware, s
Pandora Ransomware
1
Pandora ransomware is a type of malware that has been connected to several other malicious software strains, including AtomSilo, Night Sky, and Rook. Researchers from CTU identified code overlap between the updated HUI Loader samples and Pandora ransomware, suggesting a common origin or shared devel
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Esxi
State Sponso...
Espionage
Apt
Cybercrime
Loader
Exploits
Linux
Esxiargs
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BabukUnspecified
4
Babuk is a type of malware, specifically ransomware, which is designed to infiltrate systems and hold data hostage for ransom. It can be delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, Babuk can disrupt operations and steal perso
Black BastaUnspecified
1
Black Basta is a notorious malware entity known for its devastating ransomware attacks. First emerging in June 2022, the group has since been associated with a series of high-profile cyber-attacks worldwide. This malware, like others, infiltrates systems through suspicious downloads, emails, or webs
Cobalt Strike BeaconUnspecified
1
Cobalt Strike Beacon is a type of malware known for its harmful capabilities, including stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware has been loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an
BablockUnspecified
1
BabLock, also known as Rorschach, is a type of malware that operates as ransomware. First identified by Check Point Research in April 2023, this harmful software infiltrates computer systems and devices, often without the user's knowledge, with the aim to exploit, damage, and potentially hold data h
Rorschach RansomwareUnspecified
1
The Rorschach ransomware, also known as BabLock, is a new and unique strain of malware that was first identified by Check Point Research (CPR) and the Check Point Incident Response Team (CPIRT) in April 2023. The ransomware, which was named after the famous psychological test due to its varied appea
LockbitUnspecified
1
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DefrayUnspecified
1
Defray is a malicious threat actor group, also known as Hive0091, that operates various ransomware strains such as Defray, Ryuk, and BitPaymer. They are also responsible for the RansomExx operation, PyXie malware, and Vatet loader. The cybersecurity industry identifies this group as a significant pl
Bronze StarlightUnspecified
1
Bronze Starlight, a Chinese threat actor group, has been linked to various malicious activities in the cybersecurity landscape. The group is known for deploying different types of ransomware payloads, including traditional ransomware schemes such as LockFile and name-and-shame models. Bronze Starlig
AlphvUnspecified
1
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2021-44228Unspecified
1
CVE-2021-44228, also known as the Log4j vulnerability, is a software flaw found in Apache Log4j, a widely used logging utility. Despite multiple attempts by Advanced Persistent Threat (APT) actors to exploit this vulnerability in the ServiceDesk system, these efforts were unsuccessful. However, it b
Source Document References
Information about the Rook Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
The 14 Best Endpoint Security for Servers Platforms in 2023
CERT-EU
10 months ago
Southern District of Florida | Boca Raton sex offender sentenced to 15 years in prison for receiving child pornography | #childpredator | #kidsaftey | #childsaftey | National Cyber Security Consulting
Malwarebytes
a year ago
Leaked Babuk ransomware builder code lives on as RA Group
CERT-EU
a year ago
New ransomware gang RA Group quickly expanding operations
CERT-EU
a year ago
Leaked Babuk Code Fuels New Wave of VMware ESXi Ransomware
CERT-EU
a year ago
New RA Hacker Group Attack Organizations in the U.S. & Threaten to Leak Data
Recorded Future
a year ago
Semiconductor Companies Targeted by Ransomware | Recorded Future
Secureworks
a year ago
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
Recorded Future
a year ago
Semiconductor Companies Targeted by Ransomware | Recorded Future
CERT-EU
a year ago
New 'MichaelKors' Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems
CERT-EU
a year ago
4 Endpoint Security Vendors to Watch in 2022
BankInfoSecurity
a year ago
RA Group Using Babuk Ransomware Source Code in Fresh Attacks