Cloak Ransomware Claims Attack on Virginia Attorney General’s Office

Cloak ransomware operators have claimed responsibility for a cyberattack on the Virginia Attorney General’s Office (AGO), SecurityWeek reports.

The incident became public in mid-February when the AGO informed employees that nearly all computer systems, internal services, applications, and the website were offline, with internet and VPN access also disrupted.  

Employees were notified via email and reportedly instructed to return to paper court filings, though the AGO did not publicly disclose specifics about the intrusion.  

On March 20, Cloak added the Virginia AGO to its Tor-based leak site, making allegedly stolen data available for download—indicating a failed extortion attempt.  

This incident marks Cloak’s first confirmed attack of 2025. The group uses an ARCrypter variant based on leaked Babuk ransomware code and is believed to be linked to the Good Day ransomware group.  

Takeaway: According to the Power Rankings: Ransomware Malicious Quartile report, Cloak is a ransomware-as-a-service (RaaS) group, which first emerged in late 2022, has quickly become a formidable threat in the cybersecurity landscape, executing dozens of attacks across a wide range of industries.  

Its attack strategy begins with gaining access to target networks via Initial Access Brokers (IABs) or through sophisticated social engineering techniques such as phishing, malvertising, exploit kits, and drive-by downloads disguised as legitimate Microsoft Windows updates.  

Once inside, Cloak deploys its ransomware payload—an ARCrypter variant believed to be derived from leaked Babuk source code—via loaders that embed and execute its components, making detection more difficult.

The malware terminates processes related to antivirus software, backups, databases, and other critical services to cripple recovery efforts. It delivers ransom notes as both desktop wallpapers and “readme_for_unlock.txt” files, while also deleting volume shadow copies and emptying the recycle bin via the SHEmptyRecycleBinA function.  

Cloak uses both full and intermittent encryption based on file size, employing the HC-128 encryption algorithm. Keys are generated through a secure multi-step process involving CryptGenRandom, Curve25519_donna, and SHA512, producing a 32-byte encryption key and initialization vector.

To evade detection and ensure persistence, Cloak runs from virtual hard disks, modifies registry entries to enable startup, and restricts user actions such as logging off or accessing Task Manager.  

It further enhances its stealth by enabling SeDebugPrivilege, respawning itself, and terminating debugging or profiling tools. Its sophisticated privilege escalation and evasion techniques, coupled with its ability to disrupt critical systems, cement its reputation as a highly advanced ransomware operation.

Cloak is believed to be linked to the Good Day ransomware group, with both operations sharing a data leak platform—indicating possible collaboration or operational overlap in their extortion campaigns. By targeting security tools, backups, and operational systems, Cloak maximizes downtime and increases pressure on victims.  

The group offers an appealing 85/15 profit-sharing model to affiliates on underground forums, requiring no upfront payment to join. Victims who refuse to pay face double extortion through the public release of stolen data on Cloak’s leak site.

The group primarily targets small and medium-sized businesses in Europe—particularly in Germany—but has expanded to countries in Asia. It attacks organizations across sectors including healthcare, IT, real estate, construction, food, and manufacturing.  

Since its emergence, Cloak’s attack volume has steadily increased, driven by its adoption of the RaaS model and its focus on high-impact, high-disruption operations. Ransom demands have escalated from mid-five-figure sums to high-six and even seven-figure amounts as the group has taken on larger, more profitable targets.  

With an exceptionally high reported payment rate of 91–96%, Cloak has proven itself to be one of the most effective ransomware operations currently active.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.