In the ever-evolving landscape of cyber threats, the emergence of Cloak ransomware has captured the attention of security experts and businesses alike. Since its inception in 2022, this cybercriminal group has swiftly established itself as a formidable presence in the ransomware arena. Recent analyses by Halcyon have unveiled a new variant of Cloak that raises significant concerns due to its advanced capabilities.
The Dangerous Windows Drive-By Threat That Is Cloak Ransomware
Halcyon’s latest report sheds light on the intricate tactics employed by the Cloak ransomware operators. At the forefront of their strategy is the acquisition of network access through initial access brokers and social engineering techniques. The group employs a range of methods, including phishing, malicious advertising, and exploit kits, to infiltrate target systems. Notably, the Cloak variant utilizes a drive-by download approach, masquerading as legitimate system updates, such as Microsoft Windows installers, to ensnare unsuspecting users.
There is speculation that Cloak has ties to the Good Day ransomware group, utilizing a variant derived from previously leaked Babuk ransomware source code. While the origins may be of academic interest, the implications for victims are far more pressing. Once the ransomware payload is delivered via a loader, Cloak employs sophisticated extraction and privilege escalation mechanisms. As highlighted in Halcyon’s findings, the ransomware not only terminates processes related to security and data backups but also modifies system settings to obstruct recovery efforts. The encryption process is robust, utilizing Curve25519 and SHA512 to secure files on both local drives and network shares with the HC-128 algorithm. Furthermore, the Cloak variant exhibits advanced evasion techniques, including execution from virtual hard disks to elude detection.
Windows Users Warned Of Cloak’s Payload Persistence And Extortion Behavior
Cloak ransomware demonstrates a calculated approach to ensuring payload persistence. By altering Windows registry entries for startup execution and restricting user actions—such as logging off and accessing the Windows Task Manager—the malware aims to prolong its presence on infected systems. Halcyon’s report notes that Cloak disrupts essential system utilities, network services, and applications, leading to significant operational downtime for victims.
The extortion tactics employed by Cloak are equally alarming. Ransom notes are cleverly disguised as Windows desktop wallpapers and text files, creating a sense of urgency for the victim. Additionally, the ransomware employs intermittent encryption for large files, strategically targeting specific chunks to maximize damage while maintaining performance efficiency. A particularly insidious aspect of the attack involves the deletion of shadow copies and backups, further complicating recovery efforts for affected users.
Despite the relative obscurity of the Cloak ransomware threat, its potential impact should not be underestimated. As is increasingly common in the realm of ransomware, a data leak site is utilized to publish or sell stolen data if ransom demands go unmet. The group claims a staggering ransom payment success rate of 91% to 96%, though the veracity of this assertion remains uncertain. In light of these developments, Windows users are urged to adopt comprehensive security measures to mitigate the risk of falling victim to such attacks.
In pursuit of clarity regarding this pressing issue, I have reached out to Microsoft for an official statement concerning the risks posed to Windows users.
