Although little is known, in truth, about a cybercriminal actor employing what has become known as the Cloak ransomware threat, the group has risen rapidly to gain status as a significant player in the ransomware landscape since first emerging in 2022. Threat researchers at Halcyon have now analyzed the Cloak ransomware threat and uncovered a new and worrying variant that not only displays “sophisticated extraction and privilege escalation mechanisms” but also terminates processes related to both security and data backup tools. This new Cloak variant, Halcyon warned, can spread by way of dangerous drive-by downloads disguised as legitimate updates like Microsoft Windows installers. Here’s what you need to know.
The Dangerous Windows Drive-By Threat That Is Cloak Ransomware
The newly published Halcyon analysis of this latest Cloak ransomware variant details a number of attack strategies used by the threat actors operating the criminal exploit. Network access acquired through initial access brokers and social engineering unsurprisingly top the list. Phishing, malicious advertising and exploit kits are all employed to get the Cloak malware installed onto a target system, but Halcyon has also warned that the attackers are using what is known as a. drive-by download tactic, disguising the threat as a legitimate system update such as a Windows installer, for example.
It is believed that Cloak is connected to the Good Day ransomware group, using a version of some ransomware that was derived from previously leaked source code to the Babuk ransomware threat. Not that this really matters to victims or potential victims, but what matters is that once delivered by way of a loader that has the ransomware payload embedded within, Cloak uses sophisticated extraction and privilege escalation mechanisms, according to this latest report. “It terminates processes and services related to security, backups, and databases,” the security analysts warned, “while modifying system settings to hinder recovery and user actions.” Encryption keys are securely generated with Curve25519 and SHA512, encrypting files on both local drives and network shares using an HC-128 algorithm. The Cloak ransomware variant “employs advanced evasion techniques, including executing from virtual hard disks to avoid detection,” the report said.
Windows Users Warned Of Cloak’s Payload Persistence And Extortion Behavior
By modifying Windows registry entries for startup execution, along with the restriction of user actions including the likes of logging off and accessing the Windows Task Manager, Cloak aims to ensure payload persistence. “It disrupts system utilities, network services, and essential applications to escalate operational downtime,” the report said. The extortion of a victim is done through the use of ransom notes, which are displayed as Windows desktop wallpapers and text files. Cloak also somewhat cleverly uses “intermittent encryption for large files,” the researchers said, “targeting specific chunks to maximize damage while optimizing performance.” Oh, and let’s not forget that the attackers delete shadow copies and backups as part of the attack methodology in order to help leverage the threat over their victims.
One thing is for sure, the Cloak ransomware threat should not be taken lightly even if you haven’t heard of it up until now. As is the norm these days, a data leak site is employed to publish or sell stolen data if ransomware demands are not met. However, it is a testament to the group’s effectiveness that it can claim, and it is just a claim, of course, that ransom payment rates are in the 91% to 96% range. Whatever the truth in that, Windows users are advised to adopt all the usual precautions in mitigating the risk of falling victim to ransomware attack.
I have approached Microsoft for a statement regarding this risk to Windows users.
