Published on January 26, 2022

Rook Ransomware (RaaS): The latest kid on the block with an attitude.

Rook, the latest kid on the block for ransomware operations, first appeared on VirusTotal on 26 November 2021. Since its discovery, Rook has claimed its victims across verticals like Banking, Finance, Technology and Aerospace and they have been announced on their TOR site. Like most ransomware operations, Rook utilizes a ‘double extortion’ approach to force its victims into payment. The stolen data is then displayed as proof of compromise, with accompanying information on the total amount of data stolen.

(Rook Tor Site)

(Victim’s compromised data is displayed on the TOR site)
Analyzing Rook

When executed, Rook encrypts all files, deletes backups via vssadmin.exe and removes itself from the compromised machine. It then leaves a ransom note.

(Rook ransom note)

Rook’s ransom notes state that compromised victims should contact the group within 3 days for the ransom amount to be subject to a “50% discount”. However, if this condition is not met, the company’s files will be leaked onto their onion network. Contact to the Rook team can be established via e-mail (; or via the TOR browser link. The group also warns that should external help via software or third party assistance be used for decryption and restoration, the private key may be damaged, which would consequently lead to a total loss of data. 

New call-to-action

Running the attack

Upon the execution of the Rook ransomware, ReaQta-Hive autonomously reconstructed the breach, providing complete visibility across attacker tactics and techniques.

(ReaQta-Hive’s Behavioural Tree showing the Rook ransomware)

The behavioral tree maps all processes and behaviors involved in the infection to Mitre’s Attack Tactics and Techniques. Rook ransomware also uses the vssadmin.exe delete shadows/all/quiet command to delete shadow backup volume, much like what we have seen from Babuk and Avaddon. While some threat actors do focus restoration prevention, ReaQta provides additional layered defense via Destra on the detections on the misuse of wmic.exe and vssadmin.exe.

(Rook is automatically stopped by ReaQta-Hive within seconds)

Within seconds of the infection, ReaQta was effectively able to prevent costly and tiresome business interruptions. Aside from just stopping the threat, ReaQta’s AI algorithms automatically terminated all malicious processes involved in the incident. The vassadmin.exe process is also automatically terminated once the threat has been neutralized. Thereafter, ReaQta-Hive closed off the alert, reducing extra actions needed to be taken by the security team.

New call-to-action

Cyber threats will only continue to rise globally, given that the returns on investment of such ransomware attacks has unfortunately been proven. The aftermath of such infections remain alarming as an organizations ‘crown jewels’ are seized, and sensitive data is encrypted. 

By default, all applications and platforms should be built with security in mind. This includes having security design in the organization’s processes in order to protect both the company and consumers’ data. Organizations should also conduct checks: Are the security solutions that they are utilizing able to keep up with the pace of threats today? Are employees in the know about potential threats that they encounter?

ReaQta-Hive’s customers stay protected from threats like Rook.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.