Threat Actor Profile
Low Cybercriminal
Description

According to PCrisk, Rook is ransomware (an updated variant of Babuk) that prevents victims from accessing/opening files by encrypting them. It also modifies filenames and creates a text file/ransom note (HowToRestoreYourFiles.txt). Rook renames files by appending the .Rook extension. For example, it renames 1.jpg to 1.jpg.Rook, 2.jpg to 2.jpg.Rook.

Confidence Score
100%
Tags
ransomware ransomware.live
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'added_date': None,
 'client': '2003264@sit.singaporetech.edu.sg',
 'description': 'According to PCrisk, Rook is ransomware (an updated variant '
                'of Babuk) that prevents victims from accessing/opening files '
                'by encrypting them. It also modifies filenames and creates a '
                'text file/ransom note (HowToRestoreYourFiles.txt). Rook '
                'renames files by appending the .Rook extension. For example, '
                'it renames 1.jpg to 1.jpg.Rook, 2.jpg to 2.jpg.Rook.',
 'firstseen': '2021-12-07T07:01:24.544098+00:00',
 'group': 'rook',
 'has_negotiations': False,
 'has_ransomnote': True,
 'lastseen': '2022-01-08T10:19:00.640637+00:00',
 'locations': [{'available': False,
                'fqdn': 'gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onion',
                'slug': 'http://gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onion',
                'title': 'We Are Rook!!!',
                'type': 'DLS'}],
 'negotiation_count': 0,
 'ransomnotes_count': 1,
 'tiaras_metadata': {'has_negotiations': False,
                     'has_ransomnote': True,
                     'locations': [{'available': False,
                                    'fqdn': 'gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onion',
                                    'slug': 'http://gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onion',
                                    'title': 'We Are Rook!!!',
                                    'type': 'DLS'}],
                     'negotiation_count': 0,
                     'ransomnotes_count': 1,
                     'ransomware_live_group': 'rook',
                     'tools': {},
                     'url': 'https://www.ransomware.live/group/rook',
                     'victims': 9,
                     'vulnerabilities': []},
 'tiaras_source': 'ransomware.live',
 'tools': {},
 'ttps': [],
 'url': 'https://www.ransomware.live/group/rook',
 'victims': 9,
 'vulnerabilities': []}
Quick Actions
Back to Threat Actors
Dashboard Home