{ "id": "68309d17-3f21-4543-89cf-d4c2483c717b", "created_at": "2026-04-06T00:12:25.139824Z", "updated_at": "2026-04-10T13:11:50.691237Z", "deleted_at": null, "sha1_hash": "c0e2db4a250b54b2c974caeec966d7c417516c5a", "title": "Rokku Ransomware shows possible link with Chimera | Malwarebytes Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 336138, "plain_text": "Rokku Ransomware shows possible link with Chimera |\r\nMalwarebytes Labs\r\nBy hasherezade\r\nPublished: 2016-04-10 · Archived: 2026-04-05 14:08:52 UTC\r\nRokku is yet another ransomware, discovered in recent weeks. Currently, it’s most common distribution method is\r\nspam where a malicious executable is dropped by a VB script belonging to the e-mail’s attachment.\r\nThe building blocks of Rokku reminded us of the Chimera ransomware. That’s why we decided to take a closer\r\nlook, not only at the internal structure of this malware but also at the similarities and differences between these\r\ntwo products.\r\n Analyzed samples\r\nMalware:\r\n97512f4617019c907cd0f88193039e7c – original executable\r\n5a0e3a6e3106e754381bd1cc3295c97f – UPX layer removed\r\nbe6552aed5e7509b3b539cef8a965131 – payload: encryptor.dll \u003c-main focus of the analysis\r\nDecryptor:\r\n82fea20bb4c96050b4cf55f83de0f3e6 – original executable: decryptor.exe\r\n1be4a0932a66ebdb9ede56214d8ccdf9 – UPX layer removed \u003c-main focus of the analysis\r\nSpecial thanks to MalwareHunterTeam for sharing the sample.\r\nBehavioral analysis\r\nWhen we deploy the executable it runs silently – first dropping ransom notes (in two formats – HTML and TXT),\r\nand after that substituting files with their encrypted versions.\r\nRokku doesn’t retrieve keys from the server, so the encryption process can be executed off-line as well.\r\nEncryption process\r\nFiles encrypted by this ransomware can be identified by the extension .rokku added to the original name.\r\nThe encrypted content has a high level of entropy and no patterns are visible. See below a visualization of bytes.\r\nsquare.bmp : left – original, right encrypted with Rokku:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\r\nPage 1 of 12\n\nWhen the encryption finishes, the ransom note pops up:\r\nWebsite for the victim\r\nAs many products of this type, Rokku has a web panel for victims, used to manage the payment and decrypt files.\r\nIt is available via Tor.\r\nThe website have a neat design, however is very simple in comparison to other recent ransomware:\r\nRather than forcing a victim to type a unique ID it simply ask them to upload one file. All the necessary data are\r\nautomatically fetched from the file.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\r\nPage 2 of 12\n\nThen it redirects to the personalized part of the panel and shows the order ID. This unique identifier can be used\r\nfurther to regain access to this page without the necessity to upload a file again:\r\nThe required ransom amount is relatively low in comparison to other ransomware – 0.2402 BTC (around 100\r\nUSD). Currently we found no information suggesting that price is going to be incremented with time – so we can\r\nassume, that in this case distributors decided to use a fixed price.\r\nFrom the same site we can download the decrypting application. After the payment is processed, the root key,\r\nrequired to decrypt all the files is made available.\r\nEven without a payment, one chosen file can be unlocked for demonstration purposes. Once an encrypted file is\r\nuploaded, it’s individual file key is released. Then, it can be decrypted using this key and the decryptor available\r\non the site.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\r\nPage 3 of 12\n\nFindings\r\nLooking at the features described above, we can deduce quite a lot of information about the internal logic of the\r\nencryption process. As usual, two types of cryptographic algorithms are used: asymmetric – for the root key, and\r\nsymmetric –  for the keys of individual files. Individual (random) key is used to encrypt the file content – then,\r\nitself is encrypted by the public root key and stored in the same file. Only an owner of the private root key can\r\nretrieve it – and with its help decrypt the original content.\r\nThe sample’s individual key, displayed to a user is 45 characters long (it can also be interpreted as a Base64\r\nencrypted, 36 byte long content).\r\nAlso, every file contains the Order ID. The displayed value is 86 characters long  (may be interpreted as 66 byte\r\nlong value Base64 encoded).\r\nInside the malware\r\nLets’ have a look inside the malicious sample…\r\nThe original payload that is being distributed in a campaigns is UPX encrypted. This layer can be easily removed\r\nusing typical UPX.\r\nThe next layer consists of some underground crypter/FUD.\r\nAfter unpacking the crypter layer we can find the DLL with core malicious functionality – encryptor.dll\r\n(be6552aed5e7509b3b539cef8a965131)\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\r\nPage 4 of 12\n\nSimilarly to the Core.dll of Chimera ransomware, it uses ReflectiveLoader.\r\nReflectiveLoader is a special stub belonging to the technique of Reflective DLL Injection. This technique allows\r\nto produce a DLL that can be easily injected into another process. Similarly to a shellcode, such DLL is self-contained and automatically loads all it’s dependencies.\r\nExecution flow\r\nExecution of the malicious core follows several steps:\r\nFetches information about the system.\r\nRemoves local backups. It is very precise in this goal and it attacks several programs used for this purpose\r\n(used commands are listed below).\r\nEnumerates local disks, checking their existence by the alphabet (from Z to A) and makes a list of all their\r\ndirectories. Directories on network disks are also listed.\r\nProcess the list of directories:\r\ndrops the ransom note in each of them\r\nenumerates their files (using NtQueryDirectoryFile) and makes a list of paths.\r\nEncrypting routine takes the list of paths and encrypts them one by one. Information about the file, i.e size\r\nis retrieved using ZwQueryInformationFile.\r\nIn the initial phase, the malware makes a preparation to deploy its malicious features. It scans the environment and\r\ncloses some programs. For example – searches if any console window is open, and if so, hides it:\r\nIn order to make analysis harder, this malware uses encrypted strings. They are decrypted on fly, just before they\r\nare needed. As you can see at the above screenshot – it is implemented with the help of small in-line routine using\r\nSSE (highlighted in the picture). Using an in-line routine have an advantage over a separate decrypting function –\r\nit is harder to locate all the calls to it and to decrypt strings just by tracing it’s output.\r\nNext, it reads a unique identifier of the current machine: retrieves GUID from the registry…\r\nHKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography -\u003e \"MachineGuid\"\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\r\nPage 5 of 12\n\n…and the volume serial number of the disk, where the Windows is installed (using GetVolumeInformation). Both\r\nparts are concatenated together () and hashed using local implementation of SHA512 (this implementation comes\r\nfrom OpenSSL)…\r\nWe can see the typical SHA512 constants in the code:\r\nFirst half of the SHA512 hash and the are concatenated together and used as a mutex name (with the help of\r\nmutex malware prevent from being run more than once at the same time).\r\nFinally, removing backups and stopping backup services is performed – by execution of the following commands:\r\nwmic shadowcopy delete /nointeractive vssadmin delete shadows /all /quiet reg add \"HKLMSYSTEMCurrentC\r\nHow does the encryption work?\r\nFrom the behavioral analysis and experiments we concluded, that Rokku – like most of the ransomware – uses\r\nsymmetric and asymmetric encryption.\r\nAs the main, symmetric encryption algorithm, authors decided to use Salsa20 (Salsa was also used by the Petya\r\nransomware). Fragment of the implementation is shown below:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\r\nPage 6 of 12\n\nEvery file is encrypted by Salsa20 with a new, random key. Random values are retrieved using\r\nadvapi32.SystemFunction036 – that is RtlGenRandom. Then, the random key is encrypted with a locally\r\nimplemented RSA algorithm.\r\nResearch about the implementation details and possible flaws is in progress.\r\nWhat is attacked?\r\nRokku attacks local disks as well as network shares.\r\nThis malware doesn’t have any external configuration – all the strings (including attacked file extensions and\r\nblacklisted paths) are hardcoded in obfuscated form and decrypted in-line. Loading the hardcoded settings is\r\nperformed by dedicated functions (in the described sample it starts at RVA = 0x2dcf):\r\nAttacked extensions are decrypted in chunks (each chunk contains several extensions) and then added to the list.\r\nBelow you can see decrypting chunk of extensions:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\r\nPage 7 of 12\n\nSummary of all the file extensions that are attacked:\r\n001 1dc 3ds 3fr 7z a3s acb acbl accdb act ai ai3 ai4 ai5 ai6 ai7 ai8 aia aif aiff aip ait anim apk a\r\nIn the same way, blacklisted paths are deobfuscated and loaded.\r\nHere are some examples of in-line routines used to decrypt blacklisted paths:\r\nExample 1 – adding hardcoded value “roaming”:\r\nExample 2 – decrypting “system volume information”\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\r\nPage 8 of 12\n\nSummary of folders excluded from encryption:\r\n$recycle.bin system volume information windows.old $windows.~bt windows windows locallow local roamin\r\nSome files – including ransom notes – are also excluded from encryption, i.e:\r\nthumbs.db iconcache.db bootsec.bak\r\nInside the decryptor\r\nDecryptor is an application that can be downloaded from the website for the victim and used to recover the files\r\nafter purchasing the key.\r\nIt comes with a simple GUI, allowing two modes of decryption – for individual file of for full folder.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\r\nPage 9 of 12\n\nIt is also UPX packed, but after removing this layer we can see valid strings. We can find there elements\r\ncorresponding to the encryptor.dll – but with much less obfuscation added. For example – the same paths are\r\nskipped, but this time we can see them in clear text:\r\nBelow – fragment of Salsa20 implementation containing typical constants:\r\nGUI programming in C++ is not the strong point of the authors. In the code of decryptor we can find fragments of\r\na ready-made template. See below:\r\ncode fragment found in Rokku’s decryptor:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\r\nPage 10 of 12\n\ncorresponding code fragment – part of a skeleton application that have been demonstrated in a GUI\r\nprogramming course:\r\nAuthors of Chimera also didn’t felt confident in native GUI programming. Although they wrote most of the code\r\nin C++, the decryptor’s GUI was prepared in .NET framework (that makes GUI programming much easier).\r\nDecryptor’s core functions were called from a DLL written in C++.\r\nConclusion\r\nIn terms of architecture, Rokku shows several similarities with Chimera ransomware:\r\nthe main part is a DLL, using ReflectiveLoader\r\ncryptography implemented locally (not via API calls)\r\nexternal decryptor that can be downloaded from the given location, before paying the ransom\r\nBoth products use, however, different ways to communicate with victims: Chimera uses bitmessage, while Rokku\r\nuses a Tor website (like most of the ransomware). Chimera requires an Internet connection in order to work –\r\nRokku in contrary is fully independent from the CnC server.\r\nThe found similarities lead us to the conclusion, that Rokku may be a product of the same authors – prepared with\r\na similar schema but with different needs in mind.\r\nRokku is detected by Malwarebytes Anti-Malware (MBAM) as well as by Malwarebytes Anti-Ransomware\r\n(MBARW).\r\nAppendix\r\nAbout Rokku by other vendors:\r\nhttp://www.bleepingcomputer.com/news/security/rokku-ransomware-encrypts-each-file-with-its-own-unique-key/ – Bleeping Computer\r\nAbout Chimera:\r\n/blog/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild/\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\r\nPage 11 of 12\n\nAbout the author\r\nUnpacks malware with as much joy as a kid unpacking candies.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/" ], "report_names": [ "rokku-ransomware" ], "threat_actors": [ { "id": "f88b16bc-df4b-48e7-ae35-f4117240ff24", "created_at": "2022-10-25T15:50:23.556699Z", "updated_at": "2026-04-10T02:00:05.312313Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Chimera" ], "source_name": "MITRE:Chimera", "tools": [ "PsExec", "esentutl", "Mimikatz", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "3da47784-d268-47eb-9a0d-ce25fdc605c0", "created_at": "2025-08-07T02:03:24.692797Z", "updated_at": "2026-04-10T02:00:03.72967Z", "deleted_at": null, "main_name": "BRONZE VAPOR", "aliases": [ "Chimera ", "DEV-0039 ", "Thorium ", "Tumbleweed Typhoon " ], "source_name": "Secureworks:BRONZE VAPOR", "tools": [ "Acehash", "CloudDrop", "Cobalt Strike", "Mimikatz", "STOCKPIPE", "Sharphound", "Watercycle" ], "source_id": "Secureworks", "reports": null }, { "id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef", "created_at": "2022-10-25T16:07:23.455744Z", "updated_at": "2026-04-10T02:00:04.61281Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Bronze Vapor", "G0114", "Nuclear Taurus", "Operation Skeleton Key", "Red Charon", "THORIUM", "Tumbleweed Typhoon" ], "source_name": "ETDA:Chimera", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "SkeletonKeyInjector", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434345, "ts_updated_at": 1775826710, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c0e2db4a250b54b2c974caeec966d7c417516c5a.pdf", "text": "https://archive.orkl.eu/c0e2db4a250b54b2c974caeec966d7c417516c5a.txt", "img": "https://archive.orkl.eu/c0e2db4a250b54b2c974caeec966d7c417516c5a.jpg" } }