Introduction
Cloak is a cybercriminal ransomware group that first appeared publicly in mid-2023, operating with a double-extortion model. It deploys an ARCrypter variant derived from Babuk, delivered via loaders that terminate security and backup services, delete shadow copies, and install encrypted payloads using algorithms like HC-128 combined with Curve25519 key generation. Victims include entities such as the Virginia Attorney General’s Office, whose IT systems were disrupted and whose data (134 GB) was exfiltrated and listed on Cloak’s Tor leak site. Cloak has been linked to other ARCrypter variants like Good Day, sharing victim portals and infrastructure. Its operations reportedly use initial access brokers, phishing, malvertising, and exploit kits for network infiltration.
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
Information pending cataloguing.
Attribution and Evidence
Information pending cataloguing.
References
References pending cataloguing.