Full Report
Community Feature - @cPeterrCurated Intelligence member Chuong Dong has recently shared his findings in a blog after reverse engineering an emerging ransomware family dubbed Rook. The ransomware was first publicly reported on 26 November 2021 by researcher Zack Allen. The first victim was unusual, as it was a financial institution, located in the CIS country of Kazakhstan. SentinelOne disclosed that Rook ransomware is primarily delivered via a third-party framework, for example Cobalt Strike; however, delivery via phishing email has also been reported in the wild.https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware/After reverse engineering Rook ransomware, Chuong found it uses the Mbed TLS library, plus a hybrid cryptography scheme to encrypt files using AES, and protects its keys with RSA-2048 public key. Chuong also found that Rook’s multithreading file encryption approach is a reimplementation and an upgrade from that of BABUK version 3.On 11 January 2022, the Microsoft Threat Intelligence Center (MSTIC) confirmed that a Chinese ransomware operator, tracked as DEV-0401, is responsible for deploying Rook ransomware. Plus, LockFile, AtomSilo, and NightSky ransomware as well.See the last Curated Intel Community Feature on @cPeterr's research here.Curated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!
Analysis Summary
# Tool/Technique: Rook Ransomware
## Overview
Rook is an emerging ransomware family first publicly reported in November 2021. It targets victims, with the first known victim being a financial institution in Kazakhstan. It is known to be delivered via third-party frameworks like Cobalt Strike or potentially through phishing emails.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Windows (Implied by typical ransomware operations, analysis suggests functionality aligned with typical endpoint ransomware)
- Capabilities: File encryption using a hybrid scheme (AES and RSA-2048), multithreaded file processing.
- First Seen: November 2021 (Publicly reported)
## MITRE ATT&CK Mapping
*(Note: Specific TTPs are inferred based on ransomware behavior and delivery mechanisms mentioned, as the source article focuses on technical analysis rather than a comprehensive TTP mapping.)*
- [T1078 - Valid Accounts] / [T1566 - Phishing]
- [T1566.001 - Spearphishing Attachment] (If delivered via email)
- [T1568 - Acquisition of Infrastructure] / [T1090 - Ingress Tool Transfer]
- [T1090.003 - Cloud Services] (If using frameworks like Cobalt Strike for delivery/staging)
- [T1486 - Data Encrypted for Impact]
- [N/A]
## Functionality
### Core Capabilities
- Uses the **Mbed TLS library**.
- Employs a **hybrid cryptography scheme** for file encryption: Files are encrypted using **AES**, and the AES keys are protected using an **RSA-2048 public key**.
- Implements **multithreading file encryption**, described as a reimplementation and upgrade of locking mechanisms found in **BABUK version 3**.
### Advanced Features
- The enhanced multithreading suggests an attempt to improve the speed and efficiency of the encryption process compared to previous iterations of related ransomware strains.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Not provided in the text]
- Registry Keys: [Not provided in the text]
- Network Indicators: [Not explicitly detailed in the text, but delivery often involves Cobalt Strike infrastructure]
- Behavioral Indicators: Multithreaded file operations across the system; presence of generated ransom notes.
## Associated Threat Actors
- **DEV-0411** (Chinese ransomware operator, confirmed by MSTIC).
- DEV-0411 is also responsible for deploying LockFile, AtomSilo, and NightSky ransomware.
## Detection Methods
- Detection should focus on the cryptographic approach (Use of Mbed TLS structure, RSA-2048 public key protection for AES keys).
- Monitoring for execution of related command-and-control frameworks used for initial access, such as Cobalt Strike payloads.
- Behavioral signatures looking for rapid, multithreaded file renaming or modification indicative of ransomware encryption.
- YARA rules or signatures targeting known strings or structural elements related to Rook/BABUK derivative ransomware.
## Mitigation Strategies
- Implement robust endpoint protection capable of detecting ransomware execution patterns (e.g., rapid file writes/encryption attempts).
- Network segmentation to limit lateral movement if delivery occurs via C2 frameworks like Cobalt Strike.
- Ensure backups are segmented and tested regularly.
- Harden endpoint configurations against known initial access vectors (e.g., phishing awareness training).
## Related Tools/Techniques
- **BABUK Ransomware** (Rook's multithreading appears to be an evolution of BABUK v3).
- **LockFile Ransomware**
- **AtomSilo Ransomware**
- **NightSky Ransomware**
- **Cobalt Strike** (Common delivery framework).