Ransomware Attack on Boligforeningen VIBO by Cloak

In July, Boligforeningen VIBO, a Danish housing association, fell victim to a ransomware attack orchestrated by the group Cloak. The attackers claimed to have stolen 140GB of data, which was subsequently leaked. The incident, initially reported on July 10, led to a week-long paralysis of VIBO's IT systems. However, by July 18, VIBO announced via their Facebook page that their operations had returned to normal. The attack has since been confirmed, and Boligforeningen VIBO has been listed on Cloak's data leak site, highlighting the severity of the breach.

About Boligforeningen VIBO

Boligforeningen VIBO is a prominent housing association in Denmark, primarily focused on providing affordable housing solutions. The organization manages approximately 6,000 social housing units, mainly located in Copenhagen and its surrounding areas. VIBO's mission centers on creating sustainable living environments that foster community and inclusivity among residents. The association operates under the principles of social housing, aiming to offer housing at lower rents compared to the private market. This is particularly important in urban areas where housing affordability is a significant concern.

Vulnerabilities and Targeting

VIBO's digital platform, "VIBO - Min Bolig," which allows residents to manage their housing-related documents, finances, and communications, could have been a potential entry point for the attackers. The reliance on digital systems for managing resident services and communications makes organizations like VIBO vulnerable to cyber threats. The small organizational structure, with around nine employees, may also contribute to limited cybersecurity resources, making it an attractive target for ransomware groups.

About Cloak Ransomware Group

Cloak ransomware is a relatively new group that emerged between late 2022 and early 2023. The origins and identities of the group behind Cloak ransomware are currently unknown. It appears to be a financially motivated criminal group rather than a state-sponsored actor. Cloak likely purchases initial access from Initial Access Brokers (IABs) on underground marketplaces and may leverage compromised employee credentials obtained through info-stealers like Lumma, Aurora, and Redline. The ransomware uses the infected machine's own resources to exfiltrate and encrypt data.

Attack Overview

The attack on Boligforeningen VIBO involved the exfiltration and encryption of 140GB of data. Cloak operates a data leak site where they sell and publish stolen data from victims, using double extortion tactics. Encrypted files are renamed with extensions like .crYptA, .crYptB, up to .crYptE. The attack led to a significant disruption of VIBO's IT systems, but the organization managed to restore operations within a week.

• Boligforeningen VIBO Company Profile
• VIBO - Min Bolig App
• VIBO LinkedIn Profile
• Boligforeningen VIBO Legal Entity Identifier
• VIBO Management Information