April 14, 2016 By Larry Loeb 2 min read

Researchers from the anti-malware and Internet security firm Malwarebytes reported finding a possible link between the Rokku ransomware and Chimera’s file-encrypting capabilities.

Rokku allows victims to scan a QR code to obtain information on how to make the ransom payment. The Chimera ransomware, which was discovered in December 2015, threatened to post victims’ files and credentials online unless they paid the ransom. However, the threatened results never came to fruition, making Chimera social engineering malware that functionally operated in reverse.

Rokku Ransomware Looks Familiar

Researchers at Malwarebytes found that the dynamic link library (DLL) files containing the core malicious actions in both the Rokku and Chimera ransomware depended on the ReflectiveLoader function. This function is used for reflective DLL injection, which loads a library from memory into a host process. This is similar to a shellcode since the DLL is self-contained and automatically loads all its dependencies.

The security firm noted that Rokku dropped ransom notes in two formats: HTML and TXT. It then substituted files with their encrypted counterparts. Because Rokku doesn’t retrieve keys from a server, the encryption process can be executed offline.

The ransom note asks a victim to upload one encrypted file. All the necessary data is derived from the uploaded file for a single demonstration of decryption.

Rokku uses two types of cryptographic algorithms: asymmetric for the root key and symmetric for the keys of individual files. Researchers explained this further, stating that the individual random key is applied to file content before being encrypted and stored with the hostage files.

There are other similarities between Rokku and Chimera. For example, cryptography is implemented locally for both, not via API calls. Both also have an external decryptor that can be downloaded before paying the ransom as a demonstration of validity.

Different Strokes

There are distinctions between the two, as well. They use differing methods of communicating with victims: Chimera uses bitmessage, while Rokku leverages a Tor website like most other ransomware. Additionally, Chimera requires an Internet connection to work, but Rokku is fully independent from a command-and-control server.

The similarities between the two types of ransomware leads experts to believe that they may be produced by the same authors using the same schema, even though the two have differing purposes. However, the best practices for staying clear of ransomware still apply to each of these exploits.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today