Rook

Malware updated 5 months ago (2024-05-04T19:20:31.083Z)
Download STIX
Preview STIX
Rook is a malicious software (malware) linked to several ransomware activities, including LockFile, AtomSilo, Night Sky, and Pandora. These activities are associated with the deployment of HUI Loader, which has been used in loading Cobalt Strike Beacon. A CTU analysis revealed that these five ransomware families originate from two distinct codebases: one for LockFile and AtomSilo, and another for Rook, Night Sky, and Pandora. Interestingly, the malware shares similarities across its various forms, hinting at a common origin or developer. Additionally, a third-party report attributed the activity of these ransomware variants to a Chinese threat group known as DEV-0401. The Rook ransomware became significantly notorious after it was developed based on the leaked Babuk code towards the end of 2021. This leak led to the creation of multiple ransomware threats including Night Sky, Pandora, Cheerscrypt, AstraLocker, EXSiArgs, Rorschach, RTM Locker, and RA Group. The leaked source code has been used extensively to create new ransomware variants targeting ESXi servers, like RTM Locker and Rorschach. Sentinel Labs disclosed that following the leakage of Babuk ransomware source code, at least nine ransomware groups had employed it to extend their attack surface to Linux VMware ESXi platforms. The victims of these ransomware attacks have varied widely, with one notable case being a bank in Kazakhstan. As of mid-April, a total of 21 victims had been listed across the AtomSilo, Rook, Night Sky, and Pandora leak sites. While no direct connections have been established between the cyberattacks and nation-state groups, industry reports have uncovered state-sponsored threat actors masquerading as ransomware groups, using at least five ransomware variants — LockFile, AtomSilo, Rook, Night Sky, and Pandora — to conduct cyber espionage.
Description last updated: 2024-05-04T19:15:18.390Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
RTM Locker is a possible alias for Rook. RTM Locker is a recently emerged ransomware that targets enterprise systems, specifically Linux virtual machines on VMware ESXi servers. This malicious software was developed from the leaked source code of the now-defunct Babuk ransomware, which was made public by an alleged member of the Babuk grou
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Esxi
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Babuk Malware is associated with Rook. Babuk is a form of malware, specifically ransomware, that infiltrates computer systems and encrypts files, rendering them inaccessible to the user. It typically infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operatioUnspecified
4