Rook is the third iteration of various ransomware used by the Chinese-affiliated cyber group - BRONZE STARLIGHT. The group also goes by DEV-0401, Cinnamon Tempest, Emperor Dragonfly, and SLIME34. The first two iterations were LockFile and AtomSilo. Both of these borrowed or stole aspects of their ransomware from LockBit 2.0, BlackMatter, and Cerber. However, decryptors were released for both of those (they were very similar), and as such, the threat actors pivoted to yet another ransomware. That is where Rook comes in. Contrastingly, because decryptors were released for those two, BRONZE STARLIGHT utilized the Babuk encryptor, which leaked a few months prior, for Rook. Therefore, Rook behaves just like Babuk.
Just like Babuk, Rook uses the AES algorithm to encrypt the file contents and protects the AES key with a public RSA key. Thus, only the user with the private RSA key - the threat actors - could decrypt the key and file contents. We call this approach hybrid encryption because it uses two different encryption types to perform file encryption - symmetric and asymmetric. Symmetric algorithms are almost always used to encrypt file contents because it is much faster to encrypt files as opposed to asymmetric ones. After the contents are encrypted, the file names are altered to have the ".Rook" file extension appended to the end. Therefore, if you have a file name 'file.exe,' after encryption, the file would be 'file.exe.Rook."
As for the ransom note, it uses one basic file name - HowToRestoreYourFiles.txt. The ransom note is also rather basic, telling victims to contact two different emails, which are listed below. They listed seven known victims on their dark web data leak site before they pivoted to yet another ransomware - Night Sky. The seven victims are all different in terms of countries and industries, but we do know that researchers have claimed that BRONZE STARLIGHT is believed to use ransomware as a smokescreen for intellectual property theft. However, you can be certain that they are after financial gain, too. You can view the list of samples and references below for more information.
Samples (SHA-256)(7)
Known Victims(7)
| Industry Sector | Country | Extortion Date | Amount (USD) |
|---|---|---|---|
| Real Estate & Housing | United States | ||
| Aerospace & Aviation | India | ||
| Construction & Architecture | Denmark | ||
| Automotive | Japan | ||
| Information Technology | Germany | ||
| Banking & Finance | Kazakhstan | ||
| Healthcare & Medicine | Turkey |