Cloak Ransomware Variant Exhibits Advanced Persistence, Evasion and VHD Extraction Capabilities

Summary :

The Cloak ransomware group has emerged as a significant threat, targeting small to medium-sized businesses primarily in Europe. Utilizing sophisticated techniques for infiltration and encryption, they have a high ransom payment rate, indicating their effectiveness in extortion. #CloakRansomware #CybersecurityThreat #RansomwareAttacks

Keypoints :

  • Cloak ransomware group became prominent in late 2022 with over two dozen attacks.
  • Targets small to medium-sized businesses in Europe, especially Germany.
  • Utilizes Initial Access Brokers and social engineering methods for network infiltration.
  • Employs a variant of ARCrypter for ransomware payload delivery.
  • High ransom payment rate of 91-96% among victims.
  • Links observed between Cloak and Good Day ransomware operations.
  • Utilizes advanced techniques for file encryption and evasion of detection.
  • Deletes volume shadow copies to hinder recovery efforts.
  • Modifies registry entries to ensure persistence and restrict user actions.
  • Halcyon.ai offers solutions to mitigate ransomware impacts.

MITRE Techniques :

  • Initial Access (T1071) – Uses phishing and social engineering for network infiltration.
  • Execution (T1203) – Executes malicious payloads through compromised software updates.
  • Persistence (T1547) – Modifies registry to ensure execution on startup.
  • Privilege Escalation (T1068) – Escalates privileges to execute ransomware payload.
  • Exfiltration (T1041) – Publishes stolen data on Data Leak Site (DLS).

Indicator of Compromise :

  • [file name] readme_for_unlock.txt
  • [file name] wallpaper.bmp
  • [file hash] C:ProgramDataHost Process for Windows Services
  • [file hash] C:ProgramDatae83sGHost Process for Windows Services
  • Check the article for all found IoCs.

The Cloak ransomware group, which surfaced in late 2022, has rapidly become a significant threat actor in the cybersecurity landscape with more than two-dozen attacks against victims like Autohaus Ruland Viersen and Dunlop Aircraft Tyres. Despite its recent prominence, the origins and organizational structure of the group remain obscure. 

Cloak primarily targets small to medium-sized businesses in Europe, with Germany as a key focus. The group has extended its operations to countries in Asia and targets various sectors, including healthcare, real estate, construction, IT, food, and manufacturing.

Cloak’s attack strategy involves acquiring network access through Initial Access Brokers (IABs) or social engineering methods such as phishing, malvertising, exploit kits, and drive-by downloads disguised as legitimate updates like Microsoft Windows installers. Once inside a network, the group deploys a ransomware payload—a variant of ARCrypter that appears to be derived from the leaked Babuk ransomware source code. 

The group delivers ransom notes as desktop wallpapers and text files named “readme_for_unlock.txt” while deleting volume shadow copies to hinder recovery efforts. Victims who refuse to pay face further consequences, as Cloak publishes their stolen data on its Data Leak Site (DLS) for free download. The group boasts an exceptionally high payment rate of 91-96%, highlighting its effectiveness in coercing victims.

Connections between Cloak and the Good Day ransomware operation have also been observed. Good Day, a variant of the ARCrypter family first seen in May 2023, shares a data leak platform with Cloak, suggesting collaboration or overlap in their extortion activities. Cloak’s association with Good Day and its sophisticated techniques emphasize its growing influence and adaptability in the ransomware ecosystem.

The group is suspected of purchasing information from initial access brokers (IABs) to infiltrate their victims’ networks, but also use social engineering tactics such as phishing, malvertising, exploit kits, and drive-by downloads disguised as Microsoft Windows Update installers.

Executive Summary

The Cloak variant analyzed displays sophisticated extraction and privilege escalation mechanisms and terminates processes related to security and data backup tools:

  • Delivery and Execution: Delivered via a loader embedding the ransomware payload, the malware employs sophisticated extraction and privilege escalation mechanisms. It terminates processes and services related to security, backups, and databases while modifying system settings to hinder recovery and user actions.
  • Payload Behavior: The ransomware encrypts files on local drives and network shares using the HC-128 algorithm. The encryption keys are securely generated with Curve25519 and SHA512. It employs advanced evasion techniques, including executing from virtual hard disks to avoid detection. 
  • Persistence and System Impact: The ransomware ensures persistence by modifying registry entries for startup execution and restricting user actions such as logging off or accessing the Task Manager. It disrupts system utilities, network services, and essential applications to escalate operational downtime.
  • Extortion and Encryption Techniques: Ransom notes are deployed as desktop wallpapers and text files. The ransomware uses intermittent encryption for large files, targeting specific chunks to maximize damage while optimizing performance. Shadow copies and backups are deleted to increase leverage over victims.

Ransomware Payload Behavior Analysis

The loader contains three (3) resources, each compressed with the LZMS compression algorithm from the Compression API loaded from Cabinet.dll and encrypted with a variant of Extended Tiny Encryption Algorithm (XTEA).

After extracting the first resource and saving it, the payload creates a disk partition script file which initially contains the following commands:

select vdisk file=”C:ProgramDataQ9acabd3.vhd”
attach vdisk
exit

This script is then loaded and executed with the diskpart command line utility using the following command, which is done several times in its attempt to mount the virtual hard disk:

diskpart /s C:ProgramDatakD2aE.tmp

The following script is then executed, where the result is parsed by the loader to retrieve the volume ID for the volume named BLA:

list volumes
exit

If the loader is executed with elevated privileges, the diskpart command-line utility will successfully list all volumes, including the attached virtual disk. Otherwise, the loader will use the %APPDATA% directory as the location for its payload.

After retrieving the volume ID, it is selected using the following diskpart script:

select volume <virtual disk volume ID>
exit

Afterward, the loader creates a folder at %APPDATA%e83sG, where the virtual disk is assigned and mounted using the following diskpart script:

assign mount=”C:ProgramDatae83sG”
exit

At this stage, the loader extracts and saves the UPX-compressed ransomware payload into the mounted virtual disk as “%APPDATA%e83sGHost Process for Windows Services” if the virtual disk was successfully mounted; otherwise, it is saved to “%APPDATA%Host Process for Windows Services,” and then executed from that path.

Here’s what the mounted virtual disk looks like from Windows Explorer in the screenshot below:

Executing the ransomware payload from a mounted virtual disk facilitates evasion from antivirus and security software, as the virtual disk can be quickly detached after the malicious tasks are completed.

It subsequently extracts the final resource into “%APPDATA%sichost.exe”, which in turn places a copy of the loader into “%APPDATA%A3R6C9.exe” and removes the loader from its original execution path.

Execution

Upon execution of the ransomware payload, if first enables the SeDebugPrivilege for its process, essentially escalating its privilege. It then respawns itself. If it finds out that its process is running under a debugger it immediately terminates the debugger and a few application processes, and stops some services listed in the Process and Service Termination section.

Once it verifies that it is not running a debugger, it modifies the Windows registry keys under the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER hives to potentially restrict user actions such as: 

  • logging off
  • shutting down
  • switching users
  • accessing the Task Manager 

It then sends a WM_SETTINGCHANGE message to update the system with these changes. The ransomware then checks for the following command-line arguments:

Command Line Parameter Description
--target <target file or directory paths delimited with space>
List of target file or directory paths to encrypt
--debug=<log file path>
Log errors to specified log file path

If the number of command line arguments is greater than one (1) and no target path is specified, the ransomware clears all configurations and exits.

Process and Service Termination

After respawning to free itself from being debugged, it terminates the process associated with debuggers, reverse engineering, and performance profiling applications as listed below:

Debuggers and Reverse Engineering Processes Code and Performance Profiling Processes
SND
S-Ice
ImmunityDebugger
OLLYDBG
devenv
idaq
devenv
windbg
gdb
lldb
SoftICE
Immunity
Hopper
radare2
ida64
ghidra
ntsd
x64dbg
x32dbg
windbg
cdb
syserx32
pdb2sdsx32
unpackx32
w32dsm89
w32dsm88
w32dsm87
uVision
CodeTalker
valgrind
cppcheck
clang-cl
PVS-Studio
Parasoft
Understand
Deleaker
CodeBot
appverif
amplxe-gui
nsight

This ransomware stops services associated with AV and security, backup and restore and database services:

AV and Security Services Backup and Restore Services Database Services
sophos
kavfsslp
KAVFSGT
KAVFS
mfefire
DefWatch
ccEvtMgr
ccSetMgr
SavRoam
RTVscan
zhudongfangyu
Sophos Agent
Sophos Clean Service
Sophos Health Service
Sophos MCS Agent
Sophos MCS Client
Sophos Message Router
Antivirus
EraserSvc11710
EsgShKernel
FA_Scheduler
macmnsvc
masvc
MBAMService
MBEndpointAgent
McAfeeEngineService
McAfeeFramework
McShield
McTaskManager
mfemms
mfevtp
ntrtscan
SAVAdminService
SAVService
SepMasterService
ShMonitor
Smcinst
SmcService
SntpService
sophossps
svcGenericHost
swi_filter
swi_service
swi_update_64
TmCCSF
tmlisten
WRSVC
swi_update
EhttpSrv
ekrn
ESHASRV
AVP
klnagent
veeam
backup
YooBackup
YooIT
VeeamTransportSvc
VeeamDeploymentService
VeeamNFSSvc
BackupExecVSSProvider
BackupExecAgentAccelerator
BackupExecAgentBrowser
BackupExecDiveciMediaService
BackupExecJobEngine
BackupExecManagementService
BackupExecRPCService
vss
QBFCService
QBIDPService
Intuit.QuickBooks.FCS
QBCFMonitorService
stc_raw_agent
VSNAPVSS
PDVFSService
AcrSch2Svc
AcronisAgent
CASAD2DWebSvc
CAARCUpdateSvc
Acronis VSS Provider
ARSM
bedbg
DCAgent
EPSecurityService
EPUpdateService
MMS
mozyprobackup
SDRSVC
VeeamBackupSvc
VeeamBrokerSvc
VeeamCatalogSvc
VeeamCloudSvc
VeeamDeploySvc
VeeamMountSvc
VeeamRESTSvc
wbengine
VeeamHvIntegrationSvc
Zoolz 2 Service
sql
MsDtsServer
MsDtsServer100
MsDtsServer110
MSOLAP$SQL_2008
MSOLAP$SYSTEM_BGC
MSOLAP$TPS
MSOLAP$TPSAMA
MSSQL$BKUPEXEC
MSSQL$ECWDB2
MSSQL$PRACTICEMGT
MSSQL$PRACTTICEBGC
MSSQL$PROFXENGAGEMENT
MSSQL$SBSMONITORING
MSSQL$SHAREPOINT
MSSQL$SQL_2008
MSSQL$SYSTEM_BGC
MSSQL$TPS
MSSQL$TPSAMA
MSSQL$VEEAMSQL2008R2
MSSQL$VEEAMSQL2012
MSSQLFDLauncher
MSSQLFDLauncher$TPS
MSSQLSERVER
MySQL80
MySQL57
OracleClientCache80
ReportServer
ReportServer$SQL_2008
ReportServer$TPS
ReportServer$TPSAMA
SNAC
SQLAgent$BKUPEXEC
SQLAgent$ECWDB2
SQLAgent$PRACTTICEBGC
SQLAgent$PRACTTICEMGT
SQLAgent$SHAREPOINT
SQLAgent$SQL_2008
SQLAgent$SYSTEM_BGC
SQLAgent$TPS
SQLAgent$TPSAMA
SQLAgent$VEEAMSQL2012
SQLBrowser
SQLSafeOLRService
SQLSERVERAGENT
SQLTELEMETRY
SQLTELEMETRY$ECWDB2
SQLWriter
SQLAgent$CXDB
SQL Backups
MSSQL$PROD
MSSQLServerADHelper
SQLAgent$PROD
msftesql$PROD
MSSQL$SOPHOS
SQLAgent$SOPHOS
MSSQL$SQLEXPRESS
SQLAgent$SQLEXPRESS
System and Utility Services Network and Mail Services Password Management Services
svc$
memtas
GxVss
GxBlr
GxFWD
GxCVD
GxCIMgr
sacsvr
SamSs
UI0Detect
NetMsmqActivator
mepocs
IISAdmin
IMAP4Svc
MSExchangeES
MSExchangeIS
MSExchangeMGMT
MSExchangeMTA
MSExchangeSA
MSExchangeSRS
POP3Svc
RESvc
SMTPSvc
SstpSvc
W3Svc
TrueKey
TrueKeyScheduler
TrueKeyServiceHelper

After closing the above services, it also attempts to terminate processes associated with database, productivity, email, web and security applications as listed below:

Database Applications Microsoft Office Applications Web Browser Applications/Components
sql
isqlplussvc
sqbcoreservice
msaccess
msftesql
mysqld
mysqld-nt
mysqld-opt
sqlagent
sqlbrowser
sqlservr
steam
oracle
ocautoupds
mydesktopqos
dbsnmp
xfssvccon
mydesktopservice
ocssd
ocomm
dbeng50
sqlwriter
visio
winword
wordpad
outlook
powerpnt
excel
onenote
notepad
mspub
infopath
Notepad
firefox
firefoxconfig
Email Clients Antivirus and Security Software System Utilities
thebat
thebat64
thunderbird
tbirdconfig
agntsvc
tmlisten
PccNTMon
CNTAoSMgr
Ntrtscan
mbamtray
synctime
encsvc
Backup and Restore Software
zoolz

File Selection/Enumeration

If the `–target` command-line argument is used to run the ransomware payload, it will only search for files to encrypt within the specified files and directories. Without this argument, it will search for files across all volumes, directories, and network shares. The ransomware achieves this by initializing worker threads that will:

1. Queue Files for Encryption

Files are selected by enumerating all files from a given directory or network resource, skipping files that match any of the folder names, file names or file extensions listed below:

Folder Names File Names File Extensions
Boot
BOOTNXT
System Volume Information
Windows
Windows.old
Tor Browser
Internet Explorer
Google
Opera
Opera Software
Mozilla
Mozilla Firefox
$Recycle.Bin
ProgramData
All Users
readme_for_unlock.txt
autorun.inf
bootfont.bin
bootsect.bak
bootmgr
ntuser.dat.log
thumbs.db
iconcache.db
ntldr
ntuser.dat
d3d9caps.dat
#recycle
..
.
crYpt
crYptA1
crYptA2
crYptA3
sys
tmp
efi
exe
bat
dll
ini
drv
msc

2. Encrypt the Queued Files

There are two (2) modes of encryption implemented by this ransomware, full and intermittent encryption, which depend on the size of the file being encrypted. Detailed information for the encryption methods is tabulated below:

File size condition Encryption Mode Encryption Mode Parameters
> 0x00 bytes and <= 0x500000 (5MiB) Full Whole file encryption
> 0x500000 (5MiB) and < 0x1400000 (20MiB) Intermittent Step = 0x1000000 (16MiB)
Skip = 1/3 of the file
Chunks = 3

Step encrypt every chunk size of 0x1000000 starting from offset 0x00, then sip every 1/3 of the file. Encrypting a total of 3 chunks.

> 0x1400000 (20MiB) Intermittent Step = 0x1000000 (16MiB)
Skip = 0xA00000 (10MiB)
Chunks = File size/0xA00000

Step encrypt every chunk size of 0x1000000 from offset 0x00, then skip 0xA00000. Encrypting a total of (file size/0xA00000) chunks.

Encryption and Decryption

When a file is queued for encryption, its file attributes is set to FILE_ATTRIBUTE_NORMAL first using SetFileAttributesW. Once ensured that the file attribute is not set to FILE_ATTRIBUTE_READONLY and FILE_ATTRIBUTE_SYSTEM, it is renamed by appending .crYpt as its file extension.

Based on our analysis, this ransomware is derived from the leaked Babuk source code, evidently seen in the decompiled code below:

This ransomware uses CryptGenRandom, a cryptographically secure pseudo random number generator, to generate a random 32-byte (0x20) Curve25519 private key. It uses Curve25519_donna to derive a 32-byte public key from the generated private key, and uses Curve25519_donna again to derive a 32-byte shared key from the generated private key and a hard-coded 32-byte public key, which in this case is:

00000000: 7a 15 f0 aa 58 7d 9d 6a b5 54 bb ae 0f 8c 41 8a  z...X}.j.T....A.
00000010: 73 5c ac ea e9 e6 80 8b 82 f0 87 f4 78 82 74 0f  s..........x.t.

A 64-byte (512 bits) hash is then generated by getting the SHA512 hash of the Curve25519 shared key, where the first 32-bytes used as the HC-128 key and the remaining 32-bytes as the HC-128 initial vector (IV).

Depending on the encryption mode described in the File Selection/Enumeration section, data chunks from the file are encrypted using HC-128. The structure below describes a 0x48 byte footer structure appended at the end of the encrypted file:

A computer screen with textDescription automatically generated

This ransomware variant may have adapted its cryptographic algorithms from the following sources:

Extortion Notifications

During the C Run-Time initialization of the ransomware payload, the ransom note is decrypted with a modified variant of Extended Tiny Encryption Algorithm (XTEA) using a 16-byte key derived with four (4) hard-coded bytes as shown in the code snippet below:

A computer screen shot of a program codeDescription automatically generated

Just before the encryption threads are initialized, a bitmap image is generated from the decrypted ransom note, saved to C:ProgramDatawallpaper.bmp, and set as the desktop wallpaper using the SystemParametersInfoW function as shown in the code snippet and wallpaper preview below:

A screen shot of a computer programDescription automatically generated

Alternatively, for every directory traversed by the file enumeration thread, a ransom note in text format is saved as readme_for_unlock.txt.

Backup Disruptions

Before initializing the encryption threads, the ransomware empties the recycle bin by calling the SHEmptyRecycleBinA function. It then deletes volume shadow copies by running the following command line:

cmd.exe /c vssadmin.exe delete shadows /all /quiet

Persistence

This ransomware adds the following registry to make sure it executes every time the system starts:

Registry Component Value
Hive
HKEY_LOCAL_MACHINE
Key
SOFTWAREMicrosoftWindowsCurrentVersionRun
Entry Windows Update
Path C:ProgramDataHost Process for Windows Services or C:ProgramDatae83sGHost Process for Windows Services

System Modifications

To restrict the user from logging out, shutting down, switching to another user or accessing the Task Manager; the ransomware sets the following registry keys:

Registry Component Value
Hive
HKEY_LOCAL_MACHINE 
HKEY_CURRENT_USER
Key
SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONPOLICIESEXPLORER
Entries
NoLogoff
NoClose
StartMenuLogOff
DisableChangePassword
DisableSwitchUser
DisableTaskMgr
HideFastUserSwitching

Conclusion

The Cloak ransomware variant analyzed demonstrates a high level of sophistication in its operational tactics, combining advanced privilege escalation, process termination, and encryption techniques. Its delivery mechanism embeds the payload seamlessly, while its use of the HC-128 algorithm and robust key generation ensures secure and effective file encryption. 

By targeting security tools, backups, and databases, Cloak maximizes disruption and complicates recovery efforts. Its persistence mechanisms, including registry modifications and user restrictions, further ensure prolonged impact and operational downtime. With its strategic use of intermittent encryption and aggressive deletion of recovery tools, Cloak exemplifies a modern ransomware threat designed to exert maximum pressure on victims while evading detection and countermeasures.

‍Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.


Full Research: https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities