SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rook (Back to overview)

Rook

VTCollection    

According to PCrisk, Rook is ransomware (an updated variant of Babuk) that prevents victims from accessing/opening files by encrypting them. It also modifies filenames and creates a text file/ransom note ("HowToRestoreYourFiles.txt"). Rook renames files by appending the ".Rook" extension. For example, it renames "1.jpg" to "1.jpg.Rook", "2.jpg" to "2.jpg.Rook".

References
2026-05-28ESET ResearchESET Research
ESET APT Activity Report Q4 2025–Q1 2026
WAVESHAPER BirdCall BLINDINGCAN RokRAT Rook Tiger RAT
2022-06-23SecureworksCounter Threat Unit ResearchTeam
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster BRONZE STARLIGHT
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-09Microsoft SecurityMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-03-17Seguranca InformaticaPedro Tavares
Rook ransomware analysis
Rook
2022-03-15cybleCyble
Deep Dive Analysis - Pandora Ransomware
Pandora Rook
2022-01-12Github (Dump-GUY)Jiří Vinopal
NightSky Ransomware – just a Rook RW fork in VMProtect suit
Rook
2022-01-06Chuongdong blogChuong Dong
Rook Ransomware Analysis
Rook
2021-12-23SentinelOneJim Walter
New Rook Ransomware Feeds Off the Code of Babuk
Rook
Yara Rules
[TLP:WHITE] win_rook_auto (20260504 | Detects win.rook.)
rule win_rook_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.rook."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rook"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb07 488d1d1a030200 4883a4249800000000 4084f6 }
            // n = 4, score = 100
            //   eb07                 | inc                 ebp
            //   488d1d1a030200       | xor                 eax, dword ptr [esi + ecx*4 + 0x48ef0]
            //   4883a4249800000000     | dec    eax
            //   4084f6               | shr                 ebx, 8

        $sequence_1 = { 33d2 33c9 448d4207 ff15???????? 488d4c2440 ff15???????? 8b442460 }
            // n = 7, score = 100
            //   33d2                 | dec                 eax
            //   33c9                 | mov                 edx, dword ptr [ebp + 0x740]
            //   448d4207             | dec                 esp
            //   ff15????????         |                     
            //   488d4c2440           | lea                 eax, [0xb013]
            //   ff15????????         |                     
            //   8b442460             | dec                 ecx

        $sequence_2 = { 488bd3 4533c0 498bcc ff15???????? }
            // n = 4, score = 100
            //   488bd3               | dec                 eax
            //   4533c0               | lea                 edx, [0x20a72]
            //   498bcc               | dec                 eax
            //   ff15????????         |                     

        $sequence_3 = { 488d0dbebb0400 4c89642420 e8???????? 498bcd ff15???????? 448bc0 8905???????? }
            // n = 7, score = 100
            //   488d0dbebb0400       | movzx               eax, byte ptr [eax + esi + 0x59970]
            //   4c89642420           | xor                 edx, eax
            //   e8????????           |                     
            //   498bcd               | inc                 ecx
            //   ff15????????         |                     
            //   448bc0               | movzx               eax, al
            //   8905????????         |                     

        $sequence_4 = { 488987a8000000 488d05749c0200 c7879800000001000000 48c787a000000004000000 48894760 488d055c990200 }
            // n = 6, score = 100
            //   488987a8000000       | mov                 esi, eax
            //   488d05749c0200       | dec                 esp
            //   c7879800000001000000     | lea    ecx, [0x41113]
            //   48c787a000000004000000     | inc    ecx
            //   48894760             | mul                 esp
            //   488d055c990200       | mov                 eax, edx

        $sequence_5 = { 4883eb01 7582 4183c9ff 41b801000000 498bd4 8bcf ff15???????? }
            // n = 7, score = 100
            //   4883eb01             | test                eax, 0xfffffffd
            //   7582                 | je                  0x15c1
            //   4183c9ff             | inc                 ebp
            //   41b801000000         | xor                 ecx, ecx
            //   498bd4               | dec                 eax
            //   8bcf                 | lea                 eax, [ebp + 0x6f]
            //   ff15????????         |                     

        $sequence_6 = { 48897c2420 ff15???????? 4863d8 488bcb e8???????? 498bce }
            // n = 6, score = 100
            //   48897c2420           | movzx               ecx, cl
            //   ff15????????         |                     
            //   4863d8               | inc                 esp
            //   488bcb               | mov                 ecx, dword ptr [eax + 8]
            //   e8????????           |                     
            //   498bce               | inc                 ecx

        $sequence_7 = { c5f1eb0d???????? 4c8d0d169f0000 c5f35cca c4c173590cc1 4c8d0de58e0000 }
            // n = 5, score = 100
            //   c5f1eb0d????????     |                     
            //   4c8d0d169f0000       | dec                 eax
            //   c5f35cca             | lea                 edx, [0xfffc8281]
            //   c4c173590cc1         | inc                 esp
            //   4c8d0de58e0000       | mov                 dword ptr [esp + 0x40], esp

        $sequence_8 = { 7407 e8???????? eb09 488b4918 e8???????? ffc3 }
            // n = 6, score = 100
            //   7407                 | dec                 eax
            //   e8????????           |                     
            //   eb09                 | mov                 ecx, edi
            //   488b4918             | dec                 esp
            //   e8????????           |                     
            //   ffc3                 | mov                 esi, eax

        $sequence_9 = { 488d54246c 488bcd ff15???????? f644244010 0f851f020000 488d153bab0400 488d4c246c }
            // n = 7, score = 100
            //   488d54246c           | inc                 esp
            //   488bcd               | xor                 ecx, dword ptr [edi + edx*4 + 0x59570]
            //   ff15????????         |                     
            //   f644244010           | movzx               edx, byte ptr [eax + edi + 0x59470]
            //   0f851f020000         | movzx               eax, byte ptr [ecx + 1]
            //   488d153bab0400       | dec                 eax
            //   488d4c246c           | add                 ecx, 4

    condition:
        7 of them and filesize < 843776
}
Download all Yara Rules