Cloak Ransomware Variant Exhibits Advanced Persistence, Evasion and VHD Extraction Capabilities

Written by

Halcyon Research Team

Published on

Dec 12, 2024

The Cloak ransomware group, which surfaced in late 2022, has rapidly become a significant threat actor in the cybersecurity landscape with more than two-dozen attacks against victims like Autohaus Ruland Viersen and Dunlop Aircraft Tyres. Despite its recent prominence, the origins and organizational structure of the group remain obscure.

Cloak primarily targets small to medium-sized businesses in Europe, with Germany as a key focus. The group has extended its operations to countries in Asia and targets various sectors, including healthcare, real estate, construction, IT, food, and manufacturing.

Cloak’s attack strategy involves acquiring network access through Initial Access Brokers (IABs) or social engineering methods such as phishing, malvertising, exploit kits, and drive-by downloads disguised as legitimate updates like Microsoft Windows installers. Once inside a network, the group deploys a ransomware payload—a variant of ARCrypter that appears to be derived from the leaked Babuk ransomware source code.

The group delivers ransom notes as desktop wallpapers and text files named "readme_for_unlock.txt" while deleting volume shadow copies to hinder recovery efforts. Victims who refuse to pay face further consequences, as Cloak publishes their stolen data on its Data Leak Site (DLS) for free download. The group boasts an exceptionally high payment rate of 91-96%, highlighting its effectiveness in coercing victims.

Connections between Cloak and the Good Day ransomware operation have also been observed. Good Day, a variant of the ARCrypter family first seen in May 2023, shares a data leak platform with Cloak, suggesting collaboration or overlap in their extortion activities. Cloak's association with Good Day and its sophisticated techniques emphasize its growing influence and adaptability in the ransomware ecosystem.

The group is suspected of purchasing information from initial access brokers (IABs) to infiltrate their victims’ networks, but also use social engineering tactics such as phishing, malvertising, exploit kits, and drive-by downloads disguised as Microsoft Windows Update installers.

Executive Summary

The Cloak variant analyzed displays sophisticated extraction and privilege escalation mechanisms and terminates processes related to security and data backup tools:

Delivery and Execution: Delivered via a loader embedding the ransomware payload, the malware employs sophisticated extraction and privilege escalation mechanisms. It terminates processes and services related to security, backups, and databases while modifying system settings to hinder recovery and user actions.
Payload Behavior: The ransomware encrypts files on local drives and network shares using the HC-128 algorithm. The encryption keys are securely generated with Curve25519 and SHA512. It employs advanced evasion techniques, including executing from virtual hard disks to avoid detection.
Persistence and System Impact: The ransomware ensures persistence by modifying registry entries for startup execution and restricting user actions such as logging off or accessing the Task Manager. It disrupts system utilities, network services, and essential applications to escalate operational downtime.
Extortion and Encryption Techniques: Ransom notes are deployed as desktop wallpapers and text files. The ransomware uses intermittent encryption for large files, targeting specific chunks to maximize damage while optimizing performance. Shadow copies and backups are deleted to increase leverage over victims.

Ransomware Payload Behavior Analysis

The loader contains three (3) resources, each compressed with the LZMS compression algorithm from the Compression API loaded from Cabinet.dll and encrypted with a variant of Extended Tiny Encryption Algorithm (XTEA).

After extracting the first resource and saving it, the payload creates a disk partition script file which initially contains the following commands:

select vdisk file=”C:\ProgramData\Q9acabd3.vhd”
attach vdisk
exit

This script is then loaded and executed with the diskpart command line utility using the following command, which is done several times in its attempt to mount the virtual hard disk:

diskpart /s C:\ProgramData\kD2aE.tmp

The following script is then executed, where the result is parsed by the loader to retrieve the volume ID for the volume named BLA:

list volumes
exit

If the loader is executed with elevated privileges, the diskpart command-line utility will successfully list all volumes, including the attached virtual disk. Otherwise, the loader will use the %APPDATA% directory as the location for its payload.

After retrieving the volume ID, it is selected using the following diskpart script:

select volume <virtual disk volume ID>
exit

Afterward, the loader creates a folder at %APPDATA%\e83sG, where the virtual disk is assigned and mounted using the following diskpart script:

assign mount=”C:\ProgramData\e83sG”
exit

At this stage, the loader extracts and saves the UPX-compressed ransomware payload into the mounted virtual disk as “%APPDATA%\e83sG\Host Process for Windows Services” if the virtual disk was successfully mounted; otherwise, it is saved to “%APPDATA%\Host Process for Windows Services,” and then executed from that path.

Here's what the mounted virtual disk looks like from Windows Explorer in the screenshot below:

Executing the ransomware payload from a mounted virtual disk facilitates evasion from antivirus and security software, as the virtual disk can be quickly detached after the malicious tasks are completed.

It subsequently extracts the final resource into “%APPDATA%\sichost.exe”, which in turn places a copy of the loader into “%APPDATA%\A3R6C9.exe” and removes the loader from its original execution path.

Execution

Upon execution of the ransomware payload, if first enables the SeDebugPrivilege for its process, essentially escalating its privilege. It then respawns itself. If it finds out that its process is running under a debugger it immediately terminates the debugger and a few application processes, and stops some services listed in the Process and Service Termination section.

Once it verifies that it is not running a debugger, it modifies the Windows registry keys under the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER hives to potentially restrict user actions such as:

logging off
shutting down
switching users
accessing the Task Manager

It then sends a WM_SETTINGCHANGE message to update the system with these changes. The ransomware then checks for the following command-line arguments:

Command Line Parameter	Description
--target <target file or directory paths delimited with space>	List of target file or directory paths to encrypt
--debug=<log file path>	Log errors to specified log file path

If the number of command line arguments is greater than one (1) and no target path is specified, the ransomware clears all configurations and exits.

Process and Service Termination

After respawning to free itself from being debugged, it terminates the process associated with debuggers, reverse engineering, and performance profiling applications as listed below:

Debuggers and Reverse Engineering Processes	Code and Performance Profiling Processes
SND S-Ice ImmunityDebugger OLLYDBG devenv idaq devenv windbg gdb lldb SoftICE Immunity Hopper radare2 ida64 ghidra ntsd x64dbg x32dbg windbg cdb syserx32 pdb2sdsx32 unpackx32 w32dsm89 w32dsm88 w32dsm87	uVision CodeTalker valgrind cppcheck clang-cl PVS-Studio Parasoft Understand Deleaker CodeBot appverif amplxe-gui nsight

This ransomware stops services associated with AV and security, backup and restore and database services:

AV and Security Services	Backup and Restore Services	Database Services
sophos kavfsslp KAVFSGT KAVFS mfefire DefWatch ccEvtMgr ccSetMgr SavRoam RTVscan zhudongfangyu Sophos Agent Sophos Clean Service Sophos Health Service Sophos MCS Agent Sophos MCS Client Sophos Message Router Antivirus EraserSvc11710 EsgShKernel FA_Scheduler macmnsvc masvc MBAMService MBEndpointAgent McAfeeEngineService McAfeeFramework McShield McTaskManager mfemms mfevtp ntrtscan SAVAdminService SAVService SepMasterService ShMonitor Smcinst SmcService SntpService sophossps svcGenericHost swi_filter swi_service swi_update_64 TmCCSF tmlisten WRSVC swi_update EhttpSrv ekrn ESHASRV AVP klnagent	veeam backup YooBackup YooIT VeeamTransportSvc VeeamDeploymentService VeeamNFSSvc BackupExecVSSProvider BackupExecAgentAccelerator BackupExecAgentBrowser BackupExecDiveciMediaService BackupExecJobEngine BackupExecManagementService BackupExecRPCService vss QBFCService QBIDPService Intuit.QuickBooks.FCS QBCFMonitorService stc_raw_agent VSNAPVSS PDVFSService AcrSch2Svc AcronisAgent CASAD2DWebSvc CAARCUpdateSvc Acronis VSS Provider ARSM bedbg DCAgent EPSecurityService EPUpdateService MMS mozyprobackup SDRSVC VeeamBackupSvc VeeamBrokerSvc VeeamCatalogSvc VeeamCloudSvc VeeamDeploySvc VeeamMountSvc VeeamRESTSvc wbengine VeeamHvIntegrationSvc Zoolz 2 Service	sql MsDtsServer MsDtsServer100 MsDtsServer110 MSOLAP$SQL_2008 MSOLAP$SYSTEM_BGC MSOLAP$TPS MSOLAP$TPSAMA MSSQL$BKUPEXEC MSSQL$ECWDB2 MSSQL$PRACTICEMGT MSSQL$PRACTTICEBGC MSSQL$PROFXENGAGEMENT MSSQL$SBSMONITORING MSSQL$SHAREPOINT MSSQL$SQL_2008 MSSQL$SYSTEM_BGC MSSQL$TPS MSSQL$TPSAMA MSSQL$VEEAMSQL2008R2 MSSQL$VEEAMSQL2012 MSSQLFDLauncher MSSQLFDLauncher$TPS MSSQLSERVER MySQL80 MySQL57 OracleClientCache80 ReportServer ReportServer$SQL_2008 ReportServer$TPS ReportServer$TPSAMA SNAC SQLAgent$BKUPEXEC SQLAgent$ECWDB2 SQLAgent$PRACTTICEBGC SQLAgent$PRACTTICEMGT SQLAgent$SHAREPOINT SQLAgent$SQL_2008 SQLAgent$SYSTEM_BGC SQLAgent$TPS SQLAgent$TPSAMA SQLAgent$VEEAMSQL2012 SQLBrowser SQLSafeOLRService SQLSERVERAGENT SQLTELEMETRY SQLTELEMETRY$ECWDB2 SQLWriter SQLAgent$CXDB SQL Backups MSSQL$PROD MSSQLServerADHelper SQLAgent$PROD msftesql$PROD MSSQL$SOPHOS SQLAgent$SOPHOS MSSQL$SQLEXPRESS SQLAgent$SQLEXPRESS

System and Utility Services	Network and Mail Services	Password Management Services
svc$ memtas GxVss GxBlr GxFWD GxCVD GxCIMgr sacsvr SamSs UI0Detect NetMsmqActivator	mepocs IISAdmin IMAP4Svc MSExchangeES MSExchangeIS MSExchangeMGMT MSExchangeMTA MSExchangeSA MSExchangeSRS POP3Svc RESvc SMTPSvc SstpSvc W3Svc	TrueKey TrueKeyScheduler TrueKeyServiceHelper

After closing the above services, it also attempts to terminate processes associated with database, productivity, email, web and security applications as listed below:

Database Applications	Microsoft Office Applications	Web Browser Applications/Components
sql isqlplussvc sqbcoreservice msaccess msftesql mysqld mysqld-nt mysqld-opt sqlagent sqlbrowser sqlservr steam oracle ocautoupds mydesktopqos dbsnmp xfssvccon mydesktopservice ocssd ocomm dbeng50 sqlwriter	visio winword wordpad outlook powerpnt excel onenote notepad mspub infopath Notepad	firefox firefoxconfig

Email Clients	Antivirus and Security Software	System Utilities
thebat thebat64 thunderbird tbirdconfig	agntsvc tmlisten PccNTMon CNTAoSMgr Ntrtscan mbamtray	synctime encsvc

Backup and Restore Software
zoolz

File Selection/Enumeration

If the `--target` command-line argument is used to run the ransomware payload, it will only search for files to encrypt within the specified files and directories. Without this argument, it will search for files across all volumes, directories, and network shares. The ransomware achieves this by initializing worker threads that will:

1. Queue Files for Encryption

‍Files are selected by enumerating all files from a given directory or network resource, skipping files that match any of the folder names, file names or file extensions listed below:

Folder Names	File Names	File Extensions
Boot BOOTNXT System Volume Information Windows Windows.old Tor Browser Internet Explorer Google Opera Opera Software Mozilla Mozilla Firefox $Recycle.Bin ProgramData All Users	readme_for_unlock.txt autorun.inf bootfont.bin bootsect.bak bootmgr ntuser.dat.log thumbs.db iconcache.db ntldr ntuser.dat d3d9caps.dat #recycle .. .	crYpt crYptA1 crYptA2 crYptA3 sys tmp efi exe bat dll ini drv msc

2. Encrypt the Queued Files

‍There are two (2) modes of encryption implemented by this ransomware, full and intermittent encryption, which depend on the size of the file being encrypted. Detailed information for the encryption methods is tabulated below:

File size condition	Encryption Mode	Encryption Mode Parameters
> 0x00 bytes and <= 0x500000 (5MiB)	Full	Whole file encryption
> 0x500000 (5MiB) and < 0x1400000 (20MiB)	Intermittent	Step = 0x1000000 (16MiB) Skip = 1/3 of the file Chunks = 3 Step encrypt every chunk size of 0x1000000 starting from offset 0x00, then sip every 1/3 of the file. Encrypting a total of 3 chunks.
> 0x1400000 (20MiB)	Intermittent	Step = 0x1000000 (16MiB) Skip = 0xA00000 (10MiB) Chunks = File size/0xA00000 Step encrypt every chunk size of 0x1000000 from offset 0x00, then skip 0xA00000. Encrypting a total of (file size/0xA00000) chunks.

Encryption and Decryption

When a file is queued for encryption, its file attributes is set to FILE_ATTRIBUTE_NORMAL first using SetFileAttributesW. Once ensured that the file attribute is not set to FILE_ATTRIBUTE_READONLY and FILE_ATTRIBUTE_SYSTEM, it is renamed by appending .crYpt as its file extension.

Based on our analysis, this ransomware is derived from the leaked Babuk source code, evidently seen in the decompiled code below:

This ransomware uses CryptGenRandom, a cryptographically secure pseudo random number generator, to generate a random 32-byte (0x20) Curve25519 private key. It uses Curve25519_donna to derive a 32-byte public key from the generated private key, and uses Curve25519_donna again to derive a 32-byte shared key from the generated private key and a hard-coded 32-byte public key, which in this case is:

00000000: 7a 15 f0 aa 58 7d 9d 6a b5 54 bb ae 0f 8c 41 8a  z...X}.j.T....A.
00000010: 73 5c ac ea e9 e6 80 8b 82 f0 87 f4 78 82 74 0f  s\..........x.t.

A 64-byte (512 bits) hash is then generated by getting the SHA512 hash of the Curve25519 shared key, where the first 32-bytes used as the HC-128 key and the remaining 32-bytes as the HC-128 initial vector (IV).

Depending on the encryption mode described in the File Selection/Enumeration section, data chunks from the file are encrypted using HC-128. The structure below describes a 0x48 byte footer structure appended at the end of the encrypted file:

A computer screen with textDescription automatically generated

This ransomware variant may have adapted its cryptographic algorithms from the following sources:

Elliptic Curve Cryptography (ECC) function Curve25519_donna - https://github.com/agl/curve25519-donna/blob/master/curve25519-donna.c
SHA512 - https://github.com/Maximus5/plink/blob/607ca3416722096a75555009b3422de97c37e65a/sshsh512.c#L303

Extortion Notifications

During the C Run-Time initialization of the ransomware payload, the ransom note is decrypted with a modified variant of Extended Tiny Encryption Algorithm (XTEA) using a 16-byte key derived with four (4) hard-coded bytes as shown in the code snippet below:

A computer screen shot of a program codeDescription automatically generated

Just before the encryption threads are initialized, a bitmap image is generated from the decrypted ransom note, saved to C:\ProgramData\wallpaper.bmp, and set as the desktop wallpaper using the SystemParametersInfoW function as shown in the code snippet and wallpaper preview below:

A screen shot of a computer programDescription automatically generated

Alternatively, for every directory traversed by the file enumeration thread, a ransom note in text format is saved as readme_for_unlock.txt.

Backup Disruptions

Before initializing the encryption threads, the ransomware empties the recycle bin by calling the SHEmptyRecycleBinA function. It then deletes volume shadow copies by running the following command line:

cmd.exe /c vssadmin.exe delete shadows /all /quiet

Persistence

This ransomware adds the following registry to make sure it executes every time the system starts:

Registry Component	Value
Hive	HKEY_LOCAL_MACHINE
Key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry	Windows Update
Path	C:\ProgramData\Host Process for Windows Services or C:\ProgramData\e83sG\Host Process for Windows Services

System Modifications

To restrict the user from logging out, shutting down, switching to another user or accessing the Task Manager; the ransomware sets the following registry keys:

Registry Component	Value
Hive	HKEY_LOCAL_MACHINE HKEY_CURRENT_USER
Key	SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Entries	NoLogoff NoClose StartMenuLogOff DisableChangePassword DisableSwitchUser DisableTaskMgr HideFastUserSwitching

Registry Component

Value

Hive

HKEY_LOCAL_MACHINE 
HKEY_CURRENT_USER

Key

SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER

Entries

NoLogoff
NoClose
StartMenuLogOff
DisableChangePassword
DisableSwitchUser
DisableTaskMgr
HideFastUserSwitching

Conclusion

The Cloak ransomware variant analyzed demonstrates a high level of sophistication in its operational tactics, combining advanced privilege escalation, process termination, and encryption techniques. Its delivery mechanism embeds the payload seamlessly, while its use of the HC-128 algorithm and robust key generation ensures secure and effective file encryption.

By targeting security tools, backups, and databases, Cloak maximizes disruption and complicates recovery efforts. Its persistence mechanisms, including registry modifications and user restrictions, further ensure prolonged impact and operational downtime. With its strategic use of intermittent encryption and aggressive deletion of recovery tools, Cloak exemplifies a modern ransomware threat designed to exert maximum pressure on victims while evading detection and countermeasures.

‍

‍Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.

See All Blog Posts

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

Let's get started

First Name

Last Name

Phone Number

Buying Timeframe

halcyon.ai is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

I agree to receive other communications from halcyon.ai and acknowledge Halcyon's privacy policy.

You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow halcyon.ai to store and process the personal information submitted above to provide you the content requested.

Back

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Related Posts

Security Gets Serious Episode 007: Veteran CISO Mark Weatherford

Last Week in Ransomware: 12.16.2024

Cloak Ransomware Variant Exhibits Advanced Persistence, Evasion and VHD Extraction Capabilities

Halcyon Threat Insights 011: December 2024 Ransomware Report

See Halcyon in action