Reversing Rook Ransomware


Community Feature - @cPeterr

Curated Intelligence member Chuong Dong has recently shared his findings in a blog after reverse engineering an emerging ransomware family dubbed Rook. The ransomware was first publicly reported on 26 November 2021 by researcher Zack Allen. The first victim was unusual, as it was a financial institution, located in the CIS country of Kazakhstan. SentinelOne disclosed that Rook ransomware is primarily delivered via a third-party framework, for example Cobalt Strike; however, delivery via phishing email has also been reported in the wild.

After reverse engineering Rook ransomware, Chuong found it uses the Mbed TLS library, plus a hybrid cryptography scheme to encrypt files using AES, and protects its keys with RSA-2048 public key. Chuong also found that Rook’s multithreading file encryption approach is a reimplementation and an upgrade from that of BABUK version 3.

On 11 January 2022, the Microsoft Threat Intelligence Center (MSTIC) confirmed that a Chinese ransomware operator, tracked as DEV-0401, is responsible for deploying Rook ransomware. Plus, LockFile, AtomSilo, and NightSky ransomware as well.

See the last Curated Intel Community Feature on @cPeterr's research here.

Curated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!