{
	"id": "5ce67850-9902-4513-8d0c-311eb2841501",
	"created_at": "2026-04-29T02:20:53.155614Z",
	"updated_at": "2026-04-29T08:22:44.496075Z",
	"deleted_at": null,
	"sha1_hash": "88b92b9eb8d22d3a8eb948f95b35af1814663b47",
	"title": "Cloak Ransomware Variant Exhibits Advanced Persistence, Evasion and VHD Extraction Capabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 788911,
	"plain_text": "Cloak Ransomware Variant Exhibits Advanced Persistence,\r\nEvasion and VHD Extraction Capabilities\r\nBy Halcyon RISE Team\r\nPublished: 2024-12-12 · Archived: 2026-04-29 02:05:18 UTC\r\nThe Cloak ransomware group, which surfaced in late 2022, has rapidly become a significant threat actor in the\r\ncybersecurity landscape with more than two-dozen attacks against victims like Autohaus Ruland Viersen and\r\nDunlop Aircraft Tyres. Despite its recent prominence, the origins and organizational structure of the group remain\r\nobscure. \r\nCloak primarily targets small to medium-sized businesses in Europe, with Germany as a key focus. The group has\r\nextended its operations to countries in Asia and targets various sectors, including healthcare, real estate,\r\nconstruction, IT, food, and manufacturing.\r\nCloak’s attack strategy involves acquiring network access through Initial Access Brokers (IABs) or social\r\nengineering methods such as phishing, malvertising, exploit kits, and drive-by downloads disguised as legitimate\r\nupdates like Microsoft Windows installers. Once inside a network, the group deploys a ransomware payload—a\r\nvariant of ARCrypter that appears to be derived from the leaked Babuk ransomware source code. \r\nThe group delivers ransom notes as desktop wallpapers and text files named \"readme_for_unlock.txt\" while\r\ndeleting volume shadow copies to hinder recovery efforts. Victims who refuse to pay face further consequences,\r\nas Cloak publishes their stolen data on its Data Leak Site (DLS) for free download. The group boasts an\r\nexceptionally high payment rate of 91-96%, highlighting its effectiveness in coercing victims.\r\nConnections between Cloak and the Good Day ransomware operation have also been observed. Good Day, a\r\nvariant of the ARCrypter family first seen in May 2023, shares a data leak platform with Cloak, suggesting\r\ncollaboration or overlap in their extortion activities. Cloak's association with Good Day and its sophisticated\r\ntechniques emphasize its growing influence and adaptability in the ransomware ecosystem.\r\nThe group is suspected of purchasing information from initial access brokers (IABs) to infiltrate their victims’\r\nnetworks, but also use social engineering tactics such as phishing, malvertising, exploit kits, and drive-by\r\ndownloads disguised as Microsoft Windows Update installers.\r\nExecutive Summary\r\nThe Cloak variant analyzed displays sophisticated extraction and privilege escalation mechanisms and terminates\r\nprocesses related to security and data backup tools:\r\nDelivery and Execution: Delivered via a loader embedding the ransomware payload, the malware\r\nemploys sophisticated extraction and privilege escalation mechanisms. It terminates processes and services\r\nhttps://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities\r\nPage 1 of 15\n\nrelated to security, backups, and databases while modifying system settings to hinder recovery and user\r\nactions.\r\nPayload Behavior: The ransomware encrypts files on local drives and network shares using the HC-128\r\nalgorithm. The encryption keys are securely generated with Curve25519 and SHA512. It employs\r\nadvanced evasion techniques, including executing from virtual hard disks to avoid detection. \r\nPersistence and System Impact: The ransomware ensures persistence by modifying registry entries for\r\nstartup execution and restricting user actions such as logging off or accessing the Task Manager. It disrupts\r\nsystem utilities, network services, and essential applications to escalate operational downtime.\r\nExtortion and Encryption Techniques: Ransom notes are deployed as desktop wallpapers and text files.\r\nThe ransomware uses intermittent encryption for large files, targeting specific chunks to maximize damage\r\nwhile optimizing performance. Shadow copies and backups are deleted to increase leverage over victims.\r\nRansomware Payload Behavior Analysis\r\nThe loader contains three (3) resources, each compressed with the LZMS compression algorithm from the\r\nCompression API loaded from Cabinet.dll and encrypted with a variant of Extended Tiny Encryption Algorithm\r\n(XTEA).\r\nAfter extracting the first resource and saving it, the payload creates a disk partition script file which initially\r\ncontains the following commands:\r\nselect vdisk file=”C:\\ProgramData\\Q9acabd3.vhd”\r\nattach vdisk\r\nexit\r\nThis script is then loaded and executed with the diskpart command line utility using the following command,\r\nwhich is done several times in its attempt to mount the virtual hard disk:\r\ndiskpart /s C:\\ProgramData\\kD2aE.tmp\r\nThe following script is then executed, where the result is parsed by the loader to retrieve the volume ID for the\r\nvolume named BLA:\r\nlist volumes\r\nexit\r\nIf the loader is executed with elevated privileges, the diskpart command-line utility will successfully list all\r\nvolumes, including the attached virtual disk. Otherwise, the loader will use the %APPDATA% directory as the\r\nlocation for its payload.\r\nAfter retrieving the volume ID, it is selected using the following diskpart script:\r\nhttps://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities\r\nPage 2 of 15\n\nselect volume \u003cvirtual disk volume ID\u003e\r\nexit\r\nAfterward, the loader creates a folder at %APPDATA%\\e83sG, where the virtual disk is assigned and mounted\r\nusing the following diskpart script:\r\nassign mount=”C:\\ProgramData\\e83sG”\r\nexit\r\nAt this stage, the loader extracts and saves the UPX-compressed ransomware payload into the mounted virtual\r\ndisk as “%APPDATA%\\e83sG\\Host Process for Windows Services” if the virtual disk was successfully mounted;\r\notherwise, it is saved to “%APPDATA%\\Host Process for Windows Services,” and then executed from that path.\r\nHere's what the mounted virtual disk looks like from Windows Explorer in the screenshot below:\r\nhttps://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities\r\nPage 3 of 15\n\nExecuting the ransomware payload from a mounted virtual disk facilitates evasion from antivirus and security\r\nsoftware, as the virtual disk can be quickly detached after the malicious tasks are completed.\r\nIt subsequently extracts the final resource into “%APPDATA%\\sichost.exe”, which in turn places a copy of the\r\nloader into “%APPDATA%\\A3R6C9.exe” and removes the loader from its original execution path.\r\nExecution\r\nUpon execution of the ransomware payload, if first enables the SeDebugPrivilege for its process, essentially\r\nescalating its privilege. It then respawns itself. If it finds out that its process is running under a debugger it\r\nhttps://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities\r\nPage 4 of 15\n\nimmediately terminates the debugger and a few application processes, and stops some services listed in the\r\nProcess and Service Termination section.\r\nOnce it verifies that it is not running a debugger, it modifies the Windows registry keys under the\r\nHKEY_LOCAL_MACHINE and HKEY_CURRENT_USER hives to potentially restrict user actions such as: \r\nlogging off\r\nshutting down\r\nswitching users\r\naccessing the Task Manager \r\nIt then sends a WM_SETTINGCHANGE message to update the system with these changes. The ransomware then\r\nchecks for the following command-line arguments:\r\nCommand Line Parameter Description\r\n--target \u003ctarget file or directory paths delimited with space\u003e\r\nList of target file or directory\r\npaths to encrypt\r\n--debug=\u003clog file path\u003e\r\nLog errors to specified log file\r\npath\r\nIf the number of command line arguments is greater than one (1) and no target path is specified, the ransomware\r\nclears all configurations and exits.\r\nProcess and Service Termination\r\nAfter respawning to free itself from being debugged, it terminates the process associated with debuggers, reverse\r\nengineering, and performance profiling applications as listed below:\r\nDebuggers and Reverse Engineering Processes Code and Performance Profiling Processes\r\nSND\r\nS-Ice\r\nImmunityDebugger\r\nOLLYDBG\r\ndevenv\r\nidaq\r\ndevenv\r\nwindbg\r\ngdb\r\nlldb\r\nSoftICE\r\nuVision\r\nCodeTalker\r\nvalgrind\r\ncppcheck\r\nclang-cl\r\nPVS-Studio\r\nParasoft\r\nUnderstand\r\nDeleaker\r\nCodeBot\r\nappverif\r\nhttps://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities\r\nPage 5 of 15\n\nDebuggers and Reverse Engineering Processes Code and Performance Profiling Processes\r\nImmunity\r\nHopper\r\nradare2\r\nida64\r\nghidra\r\nntsd\r\nx64dbg\r\nx32dbg\r\nwindbg\r\ncdb\r\nsyserx32\r\npdb2sdsx32\r\nunpackx32\r\nw32dsm89\r\nw32dsm88\r\nw32dsm87\r\namplxe-gui\r\nnsight\r\nThis ransomware stops services associated with AV and security, backup and restore and database services:\r\nAV and Security Services Backup and Restore Services Database Services\r\nsophos\r\nkavfsslp\r\nKAVFSGT\r\nKAVFS\r\nmfefire\r\nDefWatch\r\nccEvtMgr\r\nccSetMgr\r\nSavRoam\r\nRTVscan\r\nzhudongfangyu\r\nSophos Agent\r\nSophos Clean Service\r\nSophos Health Service\r\nSophos MCS Agent\r\nSophos MCS Client\r\nSophos Message Router\r\nAntivirus\r\nEraserSvc11710\r\nEsgShKernel\r\nveeam\r\nbackup\r\nYooBackup\r\nYooIT\r\nVeeamTransportSvc\r\nVeeamDeploymentService\r\nVeeamNFSSvc\r\nBackupExecVSSProvider\r\nBackupExecAgentAccelerator\r\nBackupExecAgentBrowser\r\nBackupExecDiveciMediaService\r\nBackupExecJobEngine\r\nBackupExecManagementService\r\nBackupExecRPCService\r\nvss\r\nQBFCService\r\nQBIDPService\r\nIntuit.QuickBooks.FCS\r\nQBCFMonitorService\r\nstc_raw_agent\r\nsql\r\nMsDtsServer\r\nMsDtsServer100\r\nMsDtsServer110\r\nMSOLAP$SQL_2008\r\nMSOLAP$SYSTEM_BGC\r\nMSOLAP$TPS\r\nMSOLAP$TPSAMA\r\nMSSQL$BKUPEXEC\r\nMSSQL$ECWDB2\r\nMSSQL$PRACTICEMGT\r\nMSSQL$PRACTTICEBGC\r\nMSSQL$PROFXENGAGEMENT\r\nMSSQL$SBSMONITORING\r\nMSSQL$SHAREPOINT\r\nMSSQL$SQL_2008\r\nMSSQL$SYSTEM_BGC\r\nMSSQL$TPS\r\nMSSQL$TPSAMA\r\nMSSQL$VEEAMSQL2008R2\r\nhttps://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities\r\nPage 6 of 15\n\nAV and Security Services Backup and Restore Services Database Services\r\nFA_Scheduler\r\nmacmnsvc\r\nmasvc\r\nMBAMService\r\nMBEndpointAgent\r\nMcAfeeEngineService\r\nMcAfeeFramework\r\nMcShield\r\nMcTaskManager\r\nmfemms\r\nmfevtp\r\nntrtscan\r\nSAVAdminService\r\nSAVService\r\nSepMasterService\r\nShMonitor\r\nSmcinst\r\nSmcService\r\nSntpService\r\nsophossps\r\nsvcGenericHost\r\nswi_filter\r\nswi_service\r\nswi_update_64\r\nTmCCSF\r\ntmlisten\r\nWRSVC\r\nswi_update\r\nEhttpSrv\r\nekrn\r\nESHASRV\r\nAVP\r\nklnagent\r\nVSNAPVSS\r\nPDVFSService\r\nAcrSch2Svc\r\nAcronisAgent\r\nCASAD2DWebSvc\r\nCAARCUpdateSvc\r\nAcronis VSS Provider\r\nARSM\r\nbedbg\r\nDCAgent\r\nEPSecurityService\r\nEPUpdateService\r\nMMS\r\nmozyprobackup\r\nSDRSVC\r\nVeeamBackupSvc\r\nVeeamBrokerSvc\r\nVeeamCatalogSvc\r\nVeeamCloudSvc\r\nVeeamDeploySvc\r\nVeeamMountSvc\r\nVeeamRESTSvc\r\nwbengine\r\nVeeamHvIntegrationSvc\r\nZoolz 2 Service\r\nMSSQL$VEEAMSQL2012\r\nMSSQLFDLauncher\r\nMSSQLFDLauncher$TPS\r\nMSSQLSERVER\r\nMySQL80\r\nMySQL57\r\nOracleClientCache80\r\nReportServer\r\nReportServer$SQL_2008\r\nReportServer$TPS\r\nReportServer$TPSAMA\r\nSNAC\r\nSQLAgent$BKUPEXEC\r\nSQLAgent$ECWDB2\r\nSQLAgent$PRACTTICEBGC\r\nSQLAgent$PRACTTICEMGT\r\nSQLAgent$SHAREPOINT\r\nSQLAgent$SQL_2008\r\nSQLAgent$SYSTEM_BGC\r\nSQLAgent$TPS\r\nSQLAgent$TPSAMA\r\nSQLAgent$VEEAMSQL2012\r\nSQLBrowser\r\nSQLSafeOLRService\r\nSQLSERVERAGENT\r\nSQLTELEMETRY\r\nSQLTELEMETRY$ECWDB2\r\nSQLWriter\r\nSQLAgent$CXDB\r\nSQL Backups\r\nMSSQL$PROD\r\nMSSQLServerADHelper\r\nSQLAgent$PROD\r\nmsftesql$PROD\r\nMSSQL$SOPHOS\r\nSQLAgent$SOPHOS\r\nMSSQL$SQLEXPRESS\r\nSQLAgent$SQLEXPRESS\r\nhttps://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities\r\nPage 7 of 15\n\nSystem and Utility Services Network and Mail Services Password Management Services\r\nsvc$\r\nmemtas\r\nGxVss\r\nGxBlr\r\nGxFWD\r\nGxCVD\r\nGxCIMgr\r\nsacsvr\r\nSamSs\r\nUI0Detect\r\nNetMsmqActivator\r\nmepocs\r\nIISAdmin\r\nIMAP4Svc\r\nMSExchangeES\r\nMSExchangeIS\r\nMSExchangeMGMT\r\nMSExchangeMTA\r\nMSExchangeSA\r\nMSExchangeSRS\r\nPOP3Svc\r\nRESvc\r\nSMTPSvc\r\nSstpSvc\r\nW3Svc\r\nTrueKey\r\nTrueKeyScheduler\r\nTrueKeyServiceHelper\r\nAfter closing the above services, it also attempts to terminate processes associated with database, productivity,\r\nemail, web and security applications as listed below:\r\nDatabase Applications Microsoft Office Applications Web Browser Applications/Components\r\nsql\r\nisqlplussvc\r\nsqbcoreservice\r\nmsaccess\r\nmsftesql\r\nmysqld\r\nmysqld-nt\r\nmysqld-opt\r\nsqlagent\r\nsqlbrowser\r\nsqlservr\r\nsteam\r\noracle\r\nocautoupds\r\nmydesktopqos\r\ndbsnmp\r\nxfssvccon\r\nmydesktopservice\r\nocssd\r\nocomm\r\nvisio\r\nwinword\r\nwordpad\r\noutlook\r\npowerpnt\r\nexcel\r\nonenote\r\nnotepad\r\nmspub\r\ninfopath\r\nNotepad\r\nfirefox\r\nfirefoxconfig\r\nhttps://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities\r\nPage 8 of 15\n\nDatabase Applications Microsoft Office Applications Web Browser Applications/Components\r\ndbeng50\r\nsqlwriter\r\nEmail Clients Antivirus and Security Software System Utilities\r\nthebat\r\nthebat64\r\nthunderbird\r\ntbirdconfig\r\nagntsvc\r\ntmlisten\r\nPccNTMon\r\nCNTAoSMgr\r\nNtrtscan\r\nmbamtray\r\nsynctime\r\nencsvc\r\nBackup and Restore Software\r\nzoolz\r\nFile Selection/Enumeration\r\nIf the `--target` command-line argument is used to run the ransomware payload, it will only search for files to\r\nencrypt within the specified files and directories. Without this argument, it will search for files across all volumes,\r\ndirectories, and network shares. The ransomware achieves this by initializing worker threads that will:\r\n1. Queue Files for Encryption\r\nFiles are selected by enumerating all files from a given directory or network resource, skipping files that match\r\nany of the folder names, file names or file extensions listed below:\r\nFolder Names File Names File Extensions\r\nBoot\r\nBOOTNXT\r\nSystem Volume Information\r\nWindows\r\nWindows.old\r\nTor Browser\r\nInternet Explorer\r\nGoogle\r\nOpera\r\nOpera Software\r\nMozilla\r\nMozilla Firefox\r\n$Recycle.Bin\r\nreadme_for_unlock.txt\r\nautorun.inf\r\nbootfont.bin\r\nbootsect.bak\r\nbootmgr\r\nntuser.dat.log\r\nthumbs.db\r\niconcache.db\r\nntldr\r\nntuser.dat\r\nd3d9caps.dat\r\n#recycle\r\n..\r\n.\r\ncrYpt\r\ncrYptA1\r\ncrYptA2\r\ncrYptA3\r\nsys\r\ntmp\r\nefi\r\nexe\r\nbat\r\ndll\r\nini\r\ndrv\r\nmsc\r\nhttps://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities\r\nPage 9 of 15\n\nFolder Names File Names File Extensions\r\nProgramData\r\nAll Users\r\n2. Encrypt the Queued Files\r\nThere are two (2) modes of encryption implemented by this ransomware, full and intermittent encryption, which\r\ndepend on the size of the file being encrypted. Detailed information for the encryption methods is tabulated\r\nbelow:\r\nFile size condition\r\nEncryption\r\nMode\r\nEncryption Mode Parameters\r\n\u003e 0x00 bytes and \u003c=\r\n0x500000 (5MiB)\r\nFull Whole file encryption\r\n\u003e 0x500000 (5MiB) and\r\n\u003c 0x1400000 (20MiB)\r\nIntermittent\r\nStep = 0x1000000 (16MiB)\r\nSkip = 1/3 of the file\r\nChunks = 3\r\nStep encrypt every chunk size of 0x1000000 starting from\r\noffset 0x00, then sip every 1/3 of the file. Encrypting a total of\r\n3 chunks.\r\n\u003e 0x1400000 (20MiB) Intermittent\r\nStep = 0x1000000 (16MiB)\r\nSkip = 0xA00000 (10MiB)\r\nChunks = File size/0xA00000\r\nStep encrypt every chunk size of 0x1000000 from offset 0x00,\r\nthen skip 0xA00000. Encrypting a total of (file\r\nsize/0xA00000) chunks.\r\nEncryption and Decryption\r\nWhen a file is queued for encryption, its file attributes is set to FILE_ATTRIBUTE_NORMAL first using\r\nSetFileAttributesW. Once ensured that the file attribute is not set to FILE_ATTRIBUTE_READONLY and\r\nFILE_ATTRIBUTE_SYSTEM, it is renamed by appending .crYpt as its file extension.\r\nBased on our analysis, this ransomware is derived from the leaked Babuk source code, evidently seen in the\r\ndecompiled code below:\r\nhttps://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities\r\nPage 10 of 15\n\nThis ransomware uses CryptGenRandom, a cryptographically secure pseudo random number generator, to\r\ngenerate a random 32-byte (0x20) Curve25519 private key. It uses Curve25519_donna to derive a 32-byte public\r\nkey from the generated private key, and uses Curve25519_donna again to derive a 32-byte shared key from the\r\ngenerated private key and a hard-coded 32-byte public key, which in this case is:\r\n00000000: 7a 15 f0 aa 58 7d 9d 6a b5 54 bb ae 0f 8c 41 8a z...X}.j.T....A.\r\n00000010: 73 5c ac ea e9 e6 80 8b 82 f0 87 f4 78 82 74 0f s\\..........x.t.\r\nA 64-byte (512 bits) hash is then generated by getting the SHA512 hash of the Curve25519 shared key, where the\r\nfirst 32-bytes used as the HC-128 key and the remaining 32-bytes as the HC-128 initial vector (IV).\r\nDepending on the encryption mode described in the File Selection/Enumeration section, data chunks from the file\r\nare encrypted using HC-128. The structure below describes a 0x48 byte footer structure appended at the end of the\r\nencrypted file:\r\nThis ransomware variant may have adapted its cryptographic algorithms from the following sources:\r\nElliptic Curve Cryptography (ECC) function Curve25519_donna - https://github.com/agl/curve25519-\r\ndonna/blob/master/curve25519-donna.c\r\nSHA512 -\r\nhttps://github.com/Maximus5/plink/blob/607ca3416722096a75555009b3422de97c37e65a/sshsh512.c#L303\r\nExtortion Notifications\r\nDuring the C Run-Time initialization of the ransomware payload, the ransom note is decrypted with a modified\r\nvariant of Extended Tiny Encryption Algorithm (XTEA) using a 16-byte key derived with four (4) hard-coded\r\nbytes as shown in the code snippet below:\r\nhttps://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities\r\nPage 11 of 15\n\nJust before the encryption threads are initialized, a bitmap image is generated from the decrypted ransom note,\r\nsaved to C:\\ProgramData\\wallpaper.bmp, and set as the desktop wallpaper using the SystemParametersInfoW\r\nfunction as shown in the code snippet and wallpaper preview below:\r\nhttps://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities\r\nPage 12 of 15\n\nAlternatively, for every directory traversed by the file enumeration thread, a ransom note in text format is saved as\r\nreadme_for_unlock.txt.\r\nBackup Disruptions\r\nBefore initializing the encryption threads, the ransomware empties the recycle bin by calling the\r\nSHEmptyRecycleBinA function. It then deletes volume shadow copies by running the following command line:\r\ncmd.exe /c vssadmin.exe delete shadows /all /quiet\r\nThis ransomware adds the following registry to make sure it executes every time the system starts:\r\nRegistry\r\nComponent\r\nValue\r\nHive HKEY_LOCAL_MACHINE\r\nhttps://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities\r\nPage 13 of 15\n\nRegistry\r\nComponent\r\nValue\r\nKey SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nEntry Windows Update\r\nPath\r\nC:\\ProgramData\\Host Process for Windows Services or C:\\ProgramData\\e83sG\\Host\r\nProcess for Windows Services\r\nSystem Modifications\r\nTo restrict the user from logging out, shutting down, switching to another user or accessing the Task Manager; the\r\nransomware sets the following registry keys:\r\nRegistry Component Value\r\nHive\r\nHKEY_LOCAL_MACHINE\r\nHKEY_CURRENT_USER\r\nKey SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\r\nEntries\r\nNoLogoff\r\nNoClose\r\nStartMenuLogOff\r\nDisableChangePassword\r\nDisableSwitchUser\r\nDisableTaskMgr\r\nHideFastUserSwitching\r\nConclusion\r\nThe Cloak ransomware variant analyzed demonstrates a high level of sophistication in its operational tactics,\r\ncombining advanced privilege escalation, process termination, and encryption techniques. Its delivery mechanism\r\nembeds the payload seamlessly, while its use of the HC-128 algorithm and robust key generation ensures secure\r\nand effective file encryption. \r\nhttps://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities\r\nPage 14 of 15\n\nBy targeting security tools, backups, and databases, Cloak maximizes disruption and complicates recovery efforts.\r\nIts persistence mechanisms, including registry modifications and user restrictions, further ensure prolonged impact\r\nand operational downtime. With its strategic use of intermittent encryption and aggressive deletion of recovery\r\ntools, Cloak exemplifies a modern ransomware threat designed to exert maximum pressure on victims while\r\nevading detection and countermeasures.\r\nHalcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent\r\nransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies –\r\ntalk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon\r\nalso publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious\r\nQuartile.\r\nSource: https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities\r\nhttps://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities"
	],
	"report_names": [
		"cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities"
	],
	"threat_actors": [],
	"ts_created_at": 1777429253,
	"ts_updated_at": 1777450964,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/88b92b9eb8d22d3a8eb948f95b35af1814663b47.pdf",
		"text": "https://archive.orkl.eu/88b92b9eb8d22d3a8eb948f95b35af1814663b47.txt",
		"img": "https://archive.orkl.eu/88b92b9eb8d22d3a8eb948f95b35af1814663b47.jpg"
	}
}