Cloak Ransomware Variant Exhibits Advanced Persistence,
Evasion and VHD Extraction Capabilities
By Halcyon RISE Team
Published: 2024-12-12 · Archived: 2026-04-29 02:05:18 UTC
The Cloak ransomware group, which surfaced in late 2022, has rapidly become a significant threat actor in the
cybersecurity landscape with more than two-dozen attacks against victims like Autohaus Ruland Viersen and
Dunlop Aircraft Tyres. Despite its recent prominence, the origins and organizational structure of the group remain
obscure. 
Cloak primarily targets small to medium-sized businesses in Europe, with Germany as a key focus. The group has
extended its operations to countries in Asia and targets various sectors, including healthcare, real estate,
construction, IT, food, and manufacturing.
Cloak’s attack strategy involves acquiring network access through Initial Access Brokers (IABs) or social
engineering methods such as phishing, malvertising, exploit kits, and drive-by downloads disguised as legitimate
updates like Microsoft Windows installers. Once inside a network, the group deploys a ransomware payload—a
variant of ARCrypter that appears to be derived from the leaked Babuk ransomware source code. 
The group delivers ransom notes as desktop wallpapers and text files named "readme_for_unlock.txt" while
deleting volume shadow copies to hinder recovery efforts. Victims who refuse to pay face further consequences,
as Cloak publishes their stolen data on its Data Leak Site (DLS) for free download. The group boasts an
exceptionally high payment rate of 91-96%, highlighting its effectiveness in coercing victims.
Connections between Cloak and the Good Day ransomware operation have also been observed. Good Day, a
variant of the ARCrypter family first seen in May 2023, shares a data leak platform with Cloak, suggesting
collaboration or overlap in their extortion activities. Cloak's association with Good Day and its sophisticated
techniques emphasize its growing influence and adaptability in the ransomware ecosystem.
The group is suspected of purchasing information from initial access brokers (IABs) to infiltrate their victims’
networks, but also use social engineering tactics such as phishing, malvertising, exploit kits, and drive-by
downloads disguised as Microsoft Windows Update installers.
Executive Summary
The Cloak variant analyzed displays sophisticated extraction and privilege escalation mechanisms and terminates
processes related to security and data backup tools:
Delivery and Execution: Delivered via a loader embedding the ransomware payload, the malware
employs sophisticated extraction and privilege escalation mechanisms. It terminates processes and services
https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities
Page 1 of 15

related to security, backups, and databases while modifying system settings to hinder recovery and user
actions.
Payload Behavior: The ransomware encrypts files on local drives and network shares using the HC-128
algorithm. The encryption keys are securely generated with Curve25519 and SHA512. It employs
advanced evasion techniques, including executing from virtual hard disks to avoid detection. 
Persistence and System Impact: The ransomware ensures persistence by modifying registry entries for
startup execution and restricting user actions such as logging off or accessing the Task Manager. It disrupts
system utilities, network services, and essential applications to escalate operational downtime.
Extortion and Encryption Techniques: Ransom notes are deployed as desktop wallpapers and text files.
The ransomware uses intermittent encryption for large files, targeting specific chunks to maximize damage
while optimizing performance. Shadow copies and backups are deleted to increase leverage over victims.
Ransomware Payload Behavior Analysis
The loader contains three (3) resources, each compressed with the LZMS compression algorithm from the
Compression API loaded from Cabinet.dll and encrypted with a variant of Extended Tiny Encryption Algorithm
(XTEA).
After extracting the first resource and saving it, the payload creates a disk partition script file which initially
contains the following commands:
select vdisk file=”C:\ProgramData\Q9acabd3.vhd”
attach vdisk
exit
This script is then loaded and executed with the diskpart command line utility using the following command,
which is done several times in its attempt to mount the virtual hard disk:
diskpart /s C:\ProgramData\kD2aE.tmp
The following script is then executed, where the result is parsed by the loader to retrieve the volume ID for the
volume named BLA:
list volumes
exit
If the loader is executed with elevated privileges, the diskpart command-line utility will successfully list all
volumes, including the attached virtual disk. Otherwise, the loader will use the %APPDATA% directory as the
location for its payload.
After retrieving the volume ID, it is selected using the following diskpart script:
https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities
Page 2 of 15

select volume <virtual disk volume ID>
exit
Afterward, the loader creates a folder at %APPDATA%\e83sG, where the virtual disk is assigned and mounted
using the following diskpart script:
assign mount=”C:\ProgramData\e83sG”
exit
At this stage, the loader extracts and saves the UPX-compressed ransomware payload into the mounted virtual
disk as “%APPDATA%\e83sG\Host Process for Windows Services” if the virtual disk was successfully mounted;
otherwise, it is saved to “%APPDATA%\Host Process for Windows Services,” and then executed from that path.
Here's what the mounted virtual disk looks like from Windows Explorer in the screenshot below:
https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities
Page 3 of 15

Executing the ransomware payload from a mounted virtual disk facilitates evasion from antivirus and security
software, as the virtual disk can be quickly detached after the malicious tasks are completed.
It subsequently extracts the final resource into “%APPDATA%\sichost.exe”, which in turn places a copy of the
loader into “%APPDATA%\A3R6C9.exe” and removes the loader from its original execution path.
Execution
Upon execution of the ransomware payload, if first enables the SeDebugPrivilege for its process, essentially
escalating its privilege. It then respawns itself. If it finds out that its process is running under a debugger it
https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities
Page 4 of 15

immediately terminates the debugger and a few application processes, and stops some services listed in the
Process and Service Termination section.
Once it verifies that it is not running a debugger, it modifies the Windows registry keys under the
HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER hives to potentially restrict user actions such as: 
logging off
shutting down
switching users
accessing the Task Manager 
It then sends a WM_SETTINGCHANGE message to update the system with these changes. The ransomware then
checks for the following command-line arguments:
Command Line Parameter Description
--target <target file or directory paths delimited with space>
List of target file or directory
paths to encrypt
--debug=<log file path>
Log errors to specified log file
path
If the number of command line arguments is greater than one (1) and no target path is specified, the ransomware
clears all configurations and exits.
Process and Service Termination
After respawning to free itself from being debugged, it terminates the process associated with debuggers, reverse
engineering, and performance profiling applications as listed below:
Debuggers and Reverse Engineering Processes Code and Performance Profiling Processes
SND
S-Ice
ImmunityDebugger
OLLYDBG
devenv
idaq
devenv
windbg
gdb
lldb
SoftICE
uVision
CodeTalker
valgrind
cppcheck
clang-cl
PVS-Studio
Parasoft
Understand
Deleaker
CodeBot
appverif
https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities
Page 5 of 15

Debuggers and Reverse Engineering Processes Code and Performance Profiling Processes
Immunity
Hopper
radare2
ida64
ghidra
ntsd
x64dbg
x32dbg
windbg
cdb
syserx32
pdb2sdsx32
unpackx32
w32dsm89
w32dsm88
w32dsm87
amplxe-gui
nsight
This ransomware stops services associated with AV and security, backup and restore and database services:
AV and Security Services Backup and Restore Services Database Services
sophos
kavfsslp
KAVFSGT
KAVFS
mfefire
DefWatch
ccEvtMgr
ccSetMgr
SavRoam
RTVscan
zhudongfangyu
Sophos Agent
Sophos Clean Service
Sophos Health Service
Sophos MCS Agent
Sophos MCS Client
Sophos Message Router
Antivirus
EraserSvc11710
EsgShKernel
veeam
backup
YooBackup
YooIT
VeeamTransportSvc
VeeamDeploymentService
VeeamNFSSvc
BackupExecVSSProvider
BackupExecAgentAccelerator
BackupExecAgentBrowser
BackupExecDiveciMediaService
BackupExecJobEngine
BackupExecManagementService
BackupExecRPCService
vss
QBFCService
QBIDPService
Intuit.QuickBooks.FCS
QBCFMonitorService
stc_raw_agent
sql
MsDtsServer
MsDtsServer100
MsDtsServer110
MSOLAP$SQL_2008
MSOLAP$SYSTEM_BGC
MSOLAP$TPS
MSOLAP$TPSAMA
MSSQL$BKUPEXEC
MSSQL$ECWDB2
MSSQL$PRACTICEMGT
MSSQL$PRACTTICEBGC
MSSQL$PROFXENGAGEMENT
MSSQL$SBSMONITORING
MSSQL$SHAREPOINT
MSSQL$SQL_2008
MSSQL$SYSTEM_BGC
MSSQL$TPS
MSSQL$TPSAMA
MSSQL$VEEAMSQL2008R2
https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities
Page 6 of 15

AV and Security Services Backup and Restore Services Database Services
FA_Scheduler
macmnsvc
masvc
MBAMService
MBEndpointAgent
McAfeeEngineService
McAfeeFramework
McShield
McTaskManager
mfemms
mfevtp
ntrtscan
SAVAdminService
SAVService
SepMasterService
ShMonitor
Smcinst
SmcService
SntpService
sophossps
svcGenericHost
swi_filter
swi_service
swi_update_64
TmCCSF
tmlisten
WRSVC
swi_update
EhttpSrv
ekrn
ESHASRV
AVP
klnagent
VSNAPVSS
PDVFSService
AcrSch2Svc
AcronisAgent
CASAD2DWebSvc
CAARCUpdateSvc
Acronis VSS Provider
ARSM
bedbg
DCAgent
EPSecurityService
EPUpdateService
MMS
mozyprobackup
SDRSVC
VeeamBackupSvc
VeeamBrokerSvc
VeeamCatalogSvc
VeeamCloudSvc
VeeamDeploySvc
VeeamMountSvc
VeeamRESTSvc
wbengine
VeeamHvIntegrationSvc
Zoolz 2 Service
MSSQL$VEEAMSQL2012
MSSQLFDLauncher
MSSQLFDLauncher$TPS
MSSQLSERVER
MySQL80
MySQL57
OracleClientCache80
ReportServer
ReportServer$SQL_2008
ReportServer$TPS
ReportServer$TPSAMA
SNAC
SQLAgent$BKUPEXEC
SQLAgent$ECWDB2
SQLAgent$PRACTTICEBGC
SQLAgent$PRACTTICEMGT
SQLAgent$SHAREPOINT
SQLAgent$SQL_2008
SQLAgent$SYSTEM_BGC
SQLAgent$TPS
SQLAgent$TPSAMA
SQLAgent$VEEAMSQL2012
SQLBrowser
SQLSafeOLRService
SQLSERVERAGENT
SQLTELEMETRY
SQLTELEMETRY$ECWDB2
SQLWriter
SQLAgent$CXDB
SQL Backups
MSSQL$PROD
MSSQLServerADHelper
SQLAgent$PROD
msftesql$PROD
MSSQL$SOPHOS
SQLAgent$SOPHOS
MSSQL$SQLEXPRESS
SQLAgent$SQLEXPRESS
https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities
Page 7 of 15

System and Utility Services Network and Mail Services Password Management Services
svc$
memtas
GxVss
GxBlr
GxFWD
GxCVD
GxCIMgr
sacsvr
SamSs
UI0Detect
NetMsmqActivator
mepocs
IISAdmin
IMAP4Svc
MSExchangeES
MSExchangeIS
MSExchangeMGMT
MSExchangeMTA
MSExchangeSA
MSExchangeSRS
POP3Svc
RESvc
SMTPSvc
SstpSvc
W3Svc
TrueKey
TrueKeyScheduler
TrueKeyServiceHelper
After closing the above services, it also attempts to terminate processes associated with database, productivity,
email, web and security applications as listed below:
Database Applications Microsoft Office Applications Web Browser Applications/Components
sql
isqlplussvc
sqbcoreservice
msaccess
msftesql
mysqld
mysqld-nt
mysqld-opt
sqlagent
sqlbrowser
sqlservr
steam
oracle
ocautoupds
mydesktopqos
dbsnmp
xfssvccon
mydesktopservice
ocssd
ocomm
visio
winword
wordpad
outlook
powerpnt
excel
onenote
notepad
mspub
infopath
Notepad
firefox
firefoxconfig
https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities
Page 8 of 15

Database Applications Microsoft Office Applications Web Browser Applications/Components
dbeng50
sqlwriter
Email Clients Antivirus and Security Software System Utilities
thebat
thebat64
thunderbird
tbirdconfig
agntsvc
tmlisten
PccNTMon
CNTAoSMgr
Ntrtscan
mbamtray
synctime
encsvc
Backup and Restore Software
zoolz
File Selection/Enumeration
If the `--target` command-line argument is used to run the ransomware payload, it will only search for files to
encrypt within the specified files and directories. Without this argument, it will search for files across all volumes,
directories, and network shares. The ransomware achieves this by initializing worker threads that will:
1. Queue Files for Encryption
Files are selected by enumerating all files from a given directory or network resource, skipping files that match
any of the folder names, file names or file extensions listed below:
Folder Names File Names File Extensions
Boot
BOOTNXT
System Volume Information
Windows
Windows.old
Tor Browser
Internet Explorer
Google
Opera
Opera Software
Mozilla
Mozilla Firefox
$Recycle.Bin
readme_for_unlock.txt
autorun.inf
bootfont.bin
bootsect.bak
bootmgr
ntuser.dat.log
thumbs.db
iconcache.db
ntldr
ntuser.dat
d3d9caps.dat
#recycle
..
.
crYpt
crYptA1
crYptA2
crYptA3
sys
tmp
efi
exe
bat
dll
ini
drv
msc
https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities
Page 9 of 15

Folder Names File Names File Extensions
ProgramData
All Users
2. Encrypt the Queued Files
There are two (2) modes of encryption implemented by this ransomware, full and intermittent encryption, which
depend on the size of the file being encrypted. Detailed information for the encryption methods is tabulated
below:
File size condition
Encryption
Mode
Encryption Mode Parameters
> 0x00 bytes and <=
0x500000 (5MiB)
Full Whole file encryption
> 0x500000 (5MiB) and
< 0x1400000 (20MiB)
Intermittent
Step = 0x1000000 (16MiB)
Skip = 1/3 of the file
Chunks = 3
Step encrypt every chunk size of 0x1000000 starting from
offset 0x00, then sip every 1/3 of the file. Encrypting a total of
3 chunks.
> 0x1400000 (20MiB) Intermittent
Step = 0x1000000 (16MiB)
Skip = 0xA00000 (10MiB)
Chunks = File size/0xA00000
Step encrypt every chunk size of 0x1000000 from offset 0x00,
then skip 0xA00000. Encrypting a total of (file
size/0xA00000) chunks.
Encryption and Decryption
When a file is queued for encryption, its file attributes is set to FILE_ATTRIBUTE_NORMAL first using
SetFileAttributesW. Once ensured that the file attribute is not set to FILE_ATTRIBUTE_READONLY and
FILE_ATTRIBUTE_SYSTEM, it is renamed by appending .crYpt as its file extension.
Based on our analysis, this ransomware is derived from the leaked Babuk source code, evidently seen in the
decompiled code below:
https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities
Page 10 of 15

This ransomware uses CryptGenRandom, a cryptographically secure pseudo random number generator, to
generate a random 32-byte (0x20) Curve25519 private key. It uses Curve25519_donna to derive a 32-byte public
key from the generated private key, and uses Curve25519_donna again to derive a 32-byte shared key from the
generated private key and a hard-coded 32-byte public key, which in this case is:
00000000: 7a 15 f0 aa 58 7d 9d 6a b5 54 bb ae 0f 8c 41 8a z...X}.j.T....A.
00000010: 73 5c ac ea e9 e6 80 8b 82 f0 87 f4 78 82 74 0f s\..........x.t.
A 64-byte (512 bits) hash is then generated by getting the SHA512 hash of the Curve25519 shared key, where the
first 32-bytes used as the HC-128 key and the remaining 32-bytes as the HC-128 initial vector (IV).
Depending on the encryption mode described in the File Selection/Enumeration section, data chunks from the file
are encrypted using HC-128. The structure below describes a 0x48 byte footer structure appended at the end of the
encrypted file:
This ransomware variant may have adapted its cryptographic algorithms from the following sources:
Elliptic Curve Cryptography (ECC) function Curve25519_donna - https://github.com/agl/curve25519-
donna/blob/master/curve25519-donna.c
SHA512 -
https://github.com/Maximus5/plink/blob/607ca3416722096a75555009b3422de97c37e65a/sshsh512.c#L303
Extortion Notifications
During the C Run-Time initialization of the ransomware payload, the ransom note is decrypted with a modified
variant of Extended Tiny Encryption Algorithm (XTEA) using a 16-byte key derived with four (4) hard-coded
bytes as shown in the code snippet below:
https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities
Page 11 of 15

Just before the encryption threads are initialized, a bitmap image is generated from the decrypted ransom note,
saved to C:\ProgramData\wallpaper.bmp, and set as the desktop wallpaper using the SystemParametersInfoW
function as shown in the code snippet and wallpaper preview below:
https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities
Page 12 of 15

Alternatively, for every directory traversed by the file enumeration thread, a ransom note in text format is saved as
readme_for_unlock.txt.
Backup Disruptions
Before initializing the encryption threads, the ransomware empties the recycle bin by calling the
SHEmptyRecycleBinA function. It then deletes volume shadow copies by running the following command line:
cmd.exe /c vssadmin.exe delete shadows /all /quiet
This ransomware adds the following registry to make sure it executes every time the system starts:
Registry
Component
Value
Hive HKEY_LOCAL_MACHINE
https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities
Page 13 of 15

Registry
Component
Value
Key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry Windows Update
Path
C:\ProgramData\Host Process for Windows Services or C:\ProgramData\e83sG\Host
Process for Windows Services
System Modifications
To restrict the user from logging out, shutting down, switching to another user or accessing the Task Manager; the
ransomware sets the following registry keys:
Registry Component Value
Hive
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
Key SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Entries
NoLogoff
NoClose
StartMenuLogOff
DisableChangePassword
DisableSwitchUser
DisableTaskMgr
HideFastUserSwitching
Conclusion
The Cloak ransomware variant analyzed demonstrates a high level of sophistication in its operational tactics,
combining advanced privilege escalation, process termination, and encryption techniques. Its delivery mechanism
embeds the payload seamlessly, while its use of the HC-128 algorithm and robust key generation ensures secure
and effective file encryption. 
https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities
Page 14 of 15

By targeting security tools, backups, and databases, Cloak maximizes disruption and complicates recovery efforts.
Its persistence mechanisms, including registry modifications and user restrictions, further ensure prolonged impact
and operational downtime. With its strategic use of intermittent encryption and aggressive deletion of recovery
tools, Cloak exemplifies a modern ransomware threat designed to exert maximum pressure on victims while
evading detection and countermeasures.
Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent
ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies –
talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon
also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious
Quartile.
Source: https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities
https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities
Page 15 of 15