{
	"id": "0d0f2c0b-735d-4772-a40d-90d6567da900",
	"created_at": "2026-04-06T00:19:28.591599Z",
	"updated_at": "2026-04-10T13:11:55.404024Z",
	"deleted_at": null,
	"sha1_hash": "a45b964f060a07333e13973b14dec0c8fa5f16c3",
	"title": "Malware-analysis-and-Reverse-engineering/NightSky_Ransomware–just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware–just_a_Rook_RW_fork_in_VMProtect_suit.md at main · Dump-GUY/Malware-analysis-and-Reverse-engineering",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1278576,
	"plain_text": "Malware-analysis-and-Reverse-engineering/NightSky_Ransomware–\r\njust_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware–\r\njust_a_Rook_RW_fork_in_VMProtect_suit.md at main · Dump-GUY/Malware-analysis-and-Reverse-engineering\r\nBy Dump-GUY\r\nArchived: 2026-04-05 20:14:23 UTC\r\nNightSky Ransomware – just a Rook RW fork in VMProtect suit\r\nThe main subject of this analysis is to explain Cryptographic functions used in NightSky and Rook ransomwares\r\nand compare their similarities and differences. This is not just some kind of show-off report but the main purpose\r\nof this, is to share some knowledge, ideas, work-flow and problems which could occur during this kind of\r\nresearch.\r\nBefore we jump in, both of these ransomwares are using the same version of statically linked OpenSource library\r\nMbed TLS (2.23.0 – 2.24.0) to implement Crypto functions. Because of minor changes in Mbed TLS between\r\nversions 2.23.0 and 2.24.0 (ransomware code is not affected by these changes), there is no way to specify which\r\none of these version was used, but more important is that both ransomwares are using the same version of Mbed\r\nTLS.\r\nFinding out the exact version was a pitty work, involving compilation of different version of Mbed TLS (last 20\r\nversions) with exact same version of Visual Studio (2015) and same version of compiler tools (19.00.24245 –\r\nobtained from Rook RW). Because of shredded Rich Header in NightSky ransomware (caused by used\r\nVMProtect), we can only presume that both of these RW were built with compiler tools 19.00.????? probably\r\nVisual Studio 2015 but not necessary. In the Rook case, we also know the exact version of compiler tools\r\n(19.00.24245) – Rich Header presented.\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md\r\nPage 1 of 7\n\nReal hard work started with many attempts to find the correct C\\C++ compiler and linker configuration which was\r\nused in both of these ransomwares (involving reversing of Mbed TLS functions in ransomwares and produced .dll\r\nand .obj (in .lib file) files). Fortunately, and not surprising, the best configuration was the same for both of these\r\nransomwares. Built .lib files served for generating FLIRT signatures and .dll files with pdb symbols were used for\r\nfuzzy matching with Rizzo signatures, fingermatch signatures, diaphora... Big differences between matched\r\nfunctions, using different versions of Mbed TLS, let to exact version of Mbed TLS (2.23.0 – 2.24.0) which was\r\nused in both cases. These facts could be just an interesting coincidence but after I introduce the code similarity it\r\nwill be obvious that NightSky Ransomware is just a fork of Rook and there is possibility that same TA is behind\r\nthe creation of these Ransomwares. (another possibility is leaked src code etc..).\r\nNightSky RW vs Rook RW brief crypto summary\r\nLet´s do some reversing\r\nAfter this brief introduction we can jump to the main function of these ransomwares. We can see main function of\r\nRook and NighSky RW in the picture below. NightSky omitted some functionality of Rook (processing cmdline\r\narguments, debug mode…) and some were just moved to different functions but code similarity related to multi-threading and synchronization remains.\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md\r\nPage 2 of 7\n\nOne of the first function in “main” in both of these ransomwares -\r\n“setPRNG_generate_VictimRSAKeys_encryptVictimPrivateKEY” is responsible for generating Victim RSA2048\r\nkey pair where Victim RSA2048 private KEY is encrypted by TAs embedded RSA2048 public key. The\r\nencryption of victim RSA private key is performed in loop of 200 bytes as you can see in the picture below. Again\r\nthe similarity of code is obvious.\r\nWe can move on to function which is start routine of newly spawned threads. This NightSky routine is handled by\r\nliterally copy-paste code from Rook RW and serves as synchronization which leads to function responsible for file\r\nencryption “encrypt_file”.\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md\r\nPage 3 of 7\n\nIn “encrypt_file” function code below we can see that both of these ransomwares are using Mbed TLS random\r\nmodule to generate for each file unique 16 bytes random AES key. This AES key is later used but also gets\r\nencrypted by previously generated victim RSA2048 public key and saved to structure which will be later part of\r\nencrypted file footer.\r\nUsage of the randomly generated AES key is different in NightSky and Rook ransomware. Rook ransomware\r\nencryption is a combination of AES128 ECB mode with intermitten encryption -\u003e looping 32 bytes chunks where\r\nonly first 16 is encrypted. Max encrypted size is 524288*3.\r\nNightSky ransomware encryption is AES128 CBC mode with hardcoded IV where max encrypted size is the same\r\nas in Rook case - 524288*3.\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md\r\nPage 4 of 7\n\nYou can see NightSky AES128 CBC mode with hardcoded IV below.\r\nOur final stage of analysis is comparing of encrypted file structure.\r\nRook Ransomware encrypted file structure (only something I named Quadpart_presented tag is in addition to\r\nNightSky – this tag has no meaning and because of that was probably omitted):\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md\r\nPage 5 of 7\n\nNightSky Ransomware encrypted file structure:\r\nConclusion:\r\nAs we could see, the similarity between Rook and NightSky ransomware looks sometimes like copy-paste of\r\ncode.\r\nWhat could be quite tricky thing for analysts is that NightSky is delivered as VMProtected and with combination\r\nof statically linked Mbed TLS crypto library it could be let´s say “unpleasant”.\r\nSome functionality from Rook Ransomware (not part of crypto process) is not presented in code of NightSky.\r\nOnly one difference in encryption is that NightSky RW replaced intermitten AES-ECB encryption for more\r\nsecured AES-CBC.\r\nRecommendation:\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md\r\nPage 6 of 7\n\nIf possible always try to perform decryption on your own (spoofing public key, grabbing session keys, hooking\r\netc…) to confirm your analytical assumptions.\r\nIf you were able to read it to this part, you can also check my steps without correction [HERE]\r\nDownload:\r\nUnpacked, repaired and debuggable sample of NightSky RW is available [HERE-pass:infected]\r\nGenerated FLIRT, Rizzo and Fingermatch signatures for Mbed TLS 2.24.0 [HERE]\r\nIOCs:\r\nNightSky Ransomware MD5: 9608c8b6c8d80fdc67b99edd3c53d3d2\r\nRook Ransomware MD5: 6d87be9212a1a0e92e58e1ed94c589f9\r\nSource: https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_R\r\nook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md"
	],
	"report_names": [
		"NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434768,
	"ts_updated_at": 1775826715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a45b964f060a07333e13973b14dec0c8fa5f16c3.pdf",
		"text": "https://archive.orkl.eu/a45b964f060a07333e13973b14dec0c8fa5f16c3.txt",
		"img": "https://archive.orkl.eu/a45b964f060a07333e13973b14dec0c8fa5f16c3.jpg"
	}
}