Summary :
The Cloak ransomware group has emerged as a significant threat, targeting small to medium-sized businesses primarily in Europe. Utilizing sophisticated techniques for infiltration and encryption, they have a high ransom payment rate, indicating their effectiveness in extortion. #CloakRansomware #CybersecurityThreat #RansomwareAttacks
Keypoints :
- Cloak ransomware group became prominent in late 2022 with over two dozen attacks.
- Targets small to medium-sized businesses in Europe, especially Germany.
- Utilizes Initial Access Brokers and social engineering methods for network infiltration.
- Employs a variant of ARCrypter for ransomware payload delivery.
- High ransom payment rate of 91-96% among victims.
- Links observed between Cloak and Good Day ransomware operations.
- Utilizes advanced techniques for file encryption and evasion of detection.
- Deletes volume shadow copies to hinder recovery efforts.
- Modifies registry entries to ensure persistence and restrict user actions.
- Halcyon.ai offers solutions to mitigate ransomware impacts.
MITRE Techniques :
- Initial Access (T1071) – Uses phishing and social engineering for network infiltration.
- Execution (T1203) – Executes malicious payloads through compromised software updates.
- Persistence (T1547) – Modifies registry to ensure execution on startup.
- Privilege Escalation (T1068) – Escalates privileges to execute ransomware payload.
- Exfiltration (T1041) – Publishes stolen data on Data Leak Site (DLS).
Indicator of Compromise :
- [file name] readme_for_unlock.txt
- [file name] wallpaper.bmp
- [file hash] C:ProgramDataHost Process for Windows Services
- [file hash] C:ProgramDatae83sGHost Process for Windows Services
- Check the article for all found IoCs.
The Cloak ransomware group, which surfaced in late 2022, has rapidly become a significant threat actor in the cybersecurity landscape with more than two-dozen attacks against victims like Autohaus Ruland Viersen and Dunlop Aircraft Tyres. Despite its recent prominence, the origins and organizational structure of the group remain obscure.
Cloak primarily targets small to medium-sized businesses in Europe, with Germany as a key focus. The group has extended its operations to countries in Asia and targets various sectors, including healthcare, real estate, construction, IT, food, and manufacturing.
Cloak’s attack strategy involves acquiring network access through Initial Access Brokers (IABs) or social engineering methods such as phishing, malvertising, exploit kits, and drive-by downloads disguised as legitimate updates like Microsoft Windows installers. Once inside a network, the group deploys a ransomware payload—a variant of ARCrypter that appears to be derived from the leaked Babuk ransomware source code.
The group delivers ransom notes as desktop wallpapers and text files named “readme_for_unlock.txt” while deleting volume shadow copies to hinder recovery efforts. Victims who refuse to pay face further consequences, as Cloak publishes their stolen data on its Data Leak Site (DLS) for free download. The group boasts an exceptionally high payment rate of 91-96%, highlighting its effectiveness in coercing victims.
Connections between Cloak and the Good Day ransomware operation have also been observed. Good Day, a variant of the ARCrypter family first seen in May 2023, shares a data leak platform with Cloak, suggesting collaboration or overlap in their extortion activities. Cloak’s association with Good Day and its sophisticated techniques emphasize its growing influence and adaptability in the ransomware ecosystem.
The group is suspected of purchasing information from initial access brokers (IABs) to infiltrate their victims’ networks, but also use social engineering tactics such as phishing, malvertising, exploit kits, and drive-by downloads disguised as Microsoft Windows Update installers.
Executive Summary
The Cloak variant analyzed displays sophisticated extraction and privilege escalation mechanisms and terminates processes related to security and data backup tools:
- Delivery and Execution: Delivered via a loader embedding the ransomware payload, the malware employs sophisticated extraction and privilege escalation mechanisms. It terminates processes and services related to security, backups, and databases while modifying system settings to hinder recovery and user actions.
- Payload Behavior: The ransomware encrypts files on local drives and network shares using the HC-128 algorithm. The encryption keys are securely generated with Curve25519 and SHA512. It employs advanced evasion techniques, including executing from virtual hard disks to avoid detection.
- Persistence and System Impact: The ransomware ensures persistence by modifying registry entries for startup execution and restricting user actions such as logging off or accessing the Task Manager. It disrupts system utilities, network services, and essential applications to escalate operational downtime.
- Extortion and Encryption Techniques: Ransom notes are deployed as desktop wallpapers and text files. The ransomware uses intermittent encryption for large files, targeting specific chunks to maximize damage while optimizing performance. Shadow copies and backups are deleted to increase leverage over victims.
Ransomware Payload Behavior Analysis
The loader contains three (3) resources, each compressed with the LZMS compression algorithm from the Compression API loaded from Cabinet.dll and encrypted with a variant of Extended Tiny Encryption Algorithm (XTEA).
After extracting the first resource and saving it, the payload creates a disk partition script file which initially contains the following commands:
select vdisk file=”C:ProgramDataQ9acabd3.vhd”
attach vdisk
exit
This script is then loaded and executed with the diskpart command line utility using the following command, which is done several times in its attempt to mount the virtual hard disk:
diskpart /s C:ProgramDatakD2aE.tmp
The following script is then executed, where the result is parsed by the loader to retrieve the volume ID for the volume named BLA:
list volumes
exit
If the loader is executed with elevated privileges, the diskpart command-line utility will successfully list all volumes, including the attached virtual disk. Otherwise, the loader will use the %APPDATA% directory as the location for its payload.
After retrieving the volume ID, it is selected using the following diskpart script:
select volume <virtual disk volume ID>
exit
Afterward, the loader creates a folder at %APPDATA%e83sG, where the virtual disk is assigned and mounted using the following diskpart script:
assign mount=”C:ProgramDatae83sG”
exit
At this stage, the loader extracts and saves the UPX-compressed ransomware payload into the mounted virtual disk as “%APPDATA%e83sGHost Process for Windows Services” if the virtual disk was successfully mounted; otherwise, it is saved to “%APPDATA%Host Process for Windows Services,” and then executed from that path.
Here’s what the mounted virtual disk looks like from Windows Explorer in the screenshot below:
Executing the ransomware payload from a mounted virtual disk facilitates evasion from antivirus and security software, as the virtual disk can be quickly detached after the malicious tasks are completed.
It subsequently extracts the final resource into “%APPDATA%sichost.exe”, which in turn places a copy of the loader into “%APPDATA%A3R6C9.exe” and removes the loader from its original execution path.
Execution
Upon execution of the ransomware payload, if first enables the SeDebugPrivilege for its process, essentially escalating its privilege. It then respawns itself. If it finds out that its process is running under a debugger it immediately terminates the debugger and a few application processes, and stops some services listed in the Process and Service Termination section.
Once it verifies that it is not running a debugger, it modifies the Windows registry keys under the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER hives to potentially restrict user actions such as:
- logging off
- shutting down
- switching users
- accessing the Task Manager
It then sends a WM_SETTINGCHANGE message to update the system with these changes. The ransomware then checks for the following command-line arguments:
If the number of command line arguments is greater than one (1) and no target path is specified, the ransomware clears all configurations and exits.
Process and Service Termination
After respawning to free itself from being debugged, it terminates the process associated with debuggers, reverse engineering, and performance profiling applications as listed below:
This ransomware stops services associated with AV and security, backup and restore and database services:
After closing the above services, it also attempts to terminate processes associated with database, productivity, email, web and security applications as listed below:
File Selection/Enumeration
If the `–target` command-line argument is used to run the ransomware payload, it will only search for files to encrypt within the specified files and directories. Without this argument, it will search for files across all volumes, directories, and network shares. The ransomware achieves this by initializing worker threads that will:
1. Queue Files for Encryption
Files are selected by enumerating all files from a given directory or network resource, skipping files that match any of the folder names, file names or file extensions listed below:
2. Encrypt the Queued Files
There are two (2) modes of encryption implemented by this ransomware, full and intermittent encryption, which depend on the size of the file being encrypted. Detailed information for the encryption methods is tabulated below:
Encryption and Decryption
When a file is queued for encryption, its file attributes is set to FILE_ATTRIBUTE_NORMAL first using SetFileAttributesW. Once ensured that the file attribute is not set to FILE_ATTRIBUTE_READONLY and FILE_ATTRIBUTE_SYSTEM, it is renamed by appending .crYpt as its file extension.
Based on our analysis, this ransomware is derived from the leaked Babuk source code, evidently seen in the decompiled code below:
This ransomware uses CryptGenRandom, a cryptographically secure pseudo random number generator, to generate a random 32-byte (0x20) Curve25519 private key. It uses Curve25519_donna to derive a 32-byte public key from the generated private key, and uses Curve25519_donna again to derive a 32-byte shared key from the generated private key and a hard-coded 32-byte public key, which in this case is:
00000000: 7a 15 f0 aa 58 7d 9d 6a b5 54 bb ae 0f 8c 41 8a z...X}.j.T....A.
00000010: 73 5c ac ea e9 e6 80 8b 82 f0 87 f4 78 82 74 0f s..........x.t.
A 64-byte (512 bits) hash is then generated by getting the SHA512 hash of the Curve25519 shared key, where the first 32-bytes used as the HC-128 key and the remaining 32-bytes as the HC-128 initial vector (IV).
Depending on the encryption mode described in the File Selection/Enumeration section, data chunks from the file are encrypted using HC-128. The structure below describes a 0x48 byte footer structure appended at the end of the encrypted file:
This ransomware variant may have adapted its cryptographic algorithms from the following sources:
Extortion Notifications
During the C Run-Time initialization of the ransomware payload, the ransom note is decrypted with a modified variant of Extended Tiny Encryption Algorithm (XTEA) using a 16-byte key derived with four (4) hard-coded bytes as shown in the code snippet below:
Just before the encryption threads are initialized, a bitmap image is generated from the decrypted ransom note, saved to C:ProgramDatawallpaper.bmp, and set as the desktop wallpaper using the SystemParametersInfoW function as shown in the code snippet and wallpaper preview below:
Alternatively, for every directory traversed by the file enumeration thread, a ransom note in text format is saved as readme_for_unlock.txt.
Backup Disruptions
Before initializing the encryption threads, the ransomware empties the recycle bin by calling the SHEmptyRecycleBinA function. It then deletes volume shadow copies by running the following command line:
cmd.exe /c vssadmin.exe delete shadows /all /quiet
Persistence
This ransomware adds the following registry to make sure it executes every time the system starts:
System Modifications
To restrict the user from logging out, shutting down, switching to another user or accessing the Task Manager; the ransomware sets the following registry keys:
Conclusion
The Cloak ransomware variant analyzed demonstrates a high level of sophistication in its operational tactics, combining advanced privilege escalation, process termination, and encryption techniques. Its delivery mechanism embeds the payload seamlessly, while its use of the HC-128 algorithm and robust key generation ensures secure and effective file encryption.
By targeting security tools, backups, and databases, Cloak maximizes disruption and complicates recovery efforts. Its persistence mechanisms, including registry modifications and user restrictions, further ensure prolonged impact and operational downtime. With its strategic use of intermittent encryption and aggressive deletion of recovery tools, Cloak exemplifies a modern ransomware threat designed to exert maximum pressure on victims while evading detection and countermeasures.
Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.
Full Research: https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities