Cloak Ransomware Targets Windows with Drive-By Attack

Cloak ransomware, a rapidly emerging threat, has gained significant attention in the cybersecurity world since its debut in 2022. Recently, researchers at Halcyon uncovered a new variant of this ransomware that showcases alarming sophistication. The most concerning aspect of this version is its ability to spread via drive-by downloads disguised as legitimate system updates, such as Microsoft Windows installers. This makes it much harder for users to detect, as the ransomware appears to be a regular update, thus bypassing typical defenses and increasing the likelihood of successful infection.

The Cloak ransomware is believed to be connected to the Good Day ransomware group and is derived from a previously leaked version of the Babuk ransomware. While the exact origins may be of academic interest, what truly matters is how the malware operates once it’s on a victim’s system. Delivered through a loader that executes the ransomware, the malware uses a series of advanced techniques to compromise a victim’s computer. Upon installation, Cloak disables security software, backup services, and other critical system processes, making it difficult for victims to recover or protect their data.

The ransomware uses a highly effective encryption scheme, leveraging the Curve25519 and SHA512 algorithms to generate encryption keys and the HC-128 algorithm to lock files on both local drives and network shares. These methods ensure that the files are securely encrypted and that the victim cannot access them without the decryption key. Cloak also employs advanced evasion tactics, including executing from virtual hard disks to avoid detection by traditional security software, which often focuses on scanning local storage devices. This makes Cloak particularly difficult to detect and remove once it has infiltrated a system.

Once inside a victim’s system, Cloak ensures that its payload remains active for as long as possible. The malware modifies Windows registry entries to execute the ransomware upon system startup, making it persistent even after reboots. Additionally, it restricts user actions, including blocking access to the Windows Task Manager and preventing the user from logging off, ensuring that the ransomware remains undisturbed. By disrupting essential system utilities, network services, and applications, Cloak escalates operational downtime, further pressuring victims to comply with ransom demands to restore normal operations.

Ransom demands are typically communicated through ransom notes, which appear as Windows desktop wallpapers or text files. These notes inform the victim about the encryption and provide instructions on how to pay the ransom. Cloak also uses a unique technique called intermittent encryption, targeting specific chunks of large files rather than encrypting entire files at once. This tactic maximizes damage while optimizing performance, ensuring that the attack remains efficient, even when targeting large amounts of data. To make recovery even more difficult, Cloak deletes shadow copies and backup files, eliminating any potential means of restoring files without paying the ransom.

The extortion tactics employed by Cloak are similar to those of other ransomware groups, with attackers leveraging stolen data and encrypted files to force victims to pay up. The threat group also operates data leak sites, where they publish or sell stolen data if ransom demands are not met. Cloak’s operators reportedly have a high ransom payment rate, with claims suggesting that between 91% and 96% of victims comply with the demands. This high success rate reflects the group’s ability to create fear and operational disruption, pushing victims toward paying the ransom to restore their systems and retrieve their data.

Given the sophistication of this new variant, Cloak ransomware represents a serious threat to Windows users. While it may be a relatively new player in the world of ransomware, its advanced techniques make it highly effective. Windows users should be especially cautious when downloading system updates, as Cloak often disguises itself as a legitimate update. Security software is essential in detecting and blocking such threats, but users must also remain vigilant, keeping their systems up to date and backing up important data regularly. Researchers continue to monitor Cloak’s evolution, but it’s clear that this ransomware is one of the most dangerous threats facing Windows users today.

Microsoft has been contacted for a statement regarding the risk to Windows users, but until more information becomes available, users should take all necessary precautions to protect their data and systems from this increasingly prevalent and sophisticated ransomware. It’s crucial to stay alert for any signs of suspicious activity and to act quickly if you suspect that your system may have been compromised.