Ransomware - Rook

Rook
Decryptor Available
No
Description

Rook is the third iteration of various ransomware used by the Chinese-affiliated cyber group - BRONZE STARLIGHT. The group also goes by DEV-0401, Cinnamon Tempest, Emperor Dragonfly, and SLIME34. The first two iterations were LockFile and AtomSilo. Both of these borrowed or stole aspects of their ransomware from LockBit 2.0, BlackMatter, and Cerber. However, decryptors were released for both of those (they were very similar), and as such, the threat actors pivoted to yet another ransomware. That is where Rook comes in. Contrastingly, because decryptors were released for those two, BRONZE STARLIGHT utilized the Babuk encryptor, which leaked a few months prior, for Rook. Therefore, Rook behaves just like Babuk.

Just like Babuk, Rook uses the AES algorithm to encrypt the file contents and protects the AES key with a public RSA key. Thus, only the user with the private RSA key - the threat actors - could decrypt the key and file contents. We call this approach hybrid encryption because it uses two different encryption types to perform file encryption - symmetric and asymmetric. Symmetric algorithms are almost always used to encrypt file contents because it is much faster to encrypt files as opposed to asymmetric ones. After the contents are encrypted, the file names are altered to have the ".Rook" file extension appended to the end. Therefore, if you have a file name 'file.exe,' after encryption, the file would be 'file.exe.Rook."

As for the ransom note, it uses one basic file name - HowToRestoreYourFiles.txt. The ransom note is also rather basic, telling victims to contact two different emails, which are listed below. They listed seven known victims on their dark web data leak site before they pivoted to yet another ransomware - Night Sky. The seven victims are all different in terms of countries and industries, but we do know that researchers have claimed that BRONZE STARLIGHT is believed to use ransomware as a smokescreen for intellectual property theft. However, you can be certain that they are after financial gain, too. You can view the list of samples and references below for more information.

Ransomware Type
Crypto-Ransomware
Data Broker
Country of Origin
China
First Seen
Last Seen
Lineage
Threat Actors
Type
Actor
APT
BRONZE STARLIGHT
Extortion Types
Direct Extortion
Double Extortion
Extortion Price Increases
Free Data Leaks
Communication
Medium
Identifier
Encryption
Type
Hybrid
Files
AES-128-ECB
Key
RSA-2048
File Extension
<file name>.<file extension>.Rook
<file name>.<file extension>.Tower
Ransom Note Name
HowToRestoreYourFiles.txt
Ransom Note Image
0ba324337b1d76a5afc26956d4dc9f57786483230112eaead5b5c92022c089c7
15a67f118c982ff7d094d7290b4c34b37d877fe3f3299840021e53840b315804
925e2f58599cfb91a03f516986676a206fc9af42000de106de6af32e9ba558bb
96f7df1c984c1753289600f7f373f3a98a4f09f82acc1be8ecfd5790763a355b
c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac
e8a3208f506f06dc3b3dfb9a30f2f7553672ef67a0f5d4e23f254e44d1fb7ed9
f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789
Industry Sector Country Extortion Date Amount (USD)
Real Estate & HousingUnited States
Aerospace & AviationIndia
Construction & ArchitectureDenmark
AutomotiveJapan
Information TechnologyGermany
Banking & FinanceKazakhstan
Healthcare & MedicineTürkiye