Heloise Montini
Heloise Montini is a content writer whose background in journalism make her an asset when researching and writing tech content. Also, her personal aspirations in creative writing and PC gaming make her articles on data storage and data recovery accessible for a wide audience.
Laura Pompeu
With 10 years of experience in journalism, SEO & digital marketing, Laura Pompeu uses her skills and experience to manage (and sometimes write) content focused on technology and business strategies.
Bogdan Glushko
CEO at SalvageData Recovery, Bogdan Glushko has over 18 years of experience in high-security data recovery. Over the years, he's been able to help restore data after logical errors, physical failures, or even ransomware attacks, for individuals, businesses, and government agencies alike.
I think there's an issue with my storage device, but I'm not sure Start a free evaluation →
I need help getting my data back right now Call now (800) 972-3282
CloAk ransomware is a relatively new ransomware group that emerged between late 2022 and the beginning of 2023. The origins and identities of the group behind the ransomware are currently unknown.
This ransomware uses the infected machine’s own resources to perform data exfiltration and its own resources to encrypt the files.
The threat actors leverage intimidation tactics to coerce the victim into paying the ransom, and the group has a known extortion site where they sell and leak data from their victims. The victims listed on the Cloak leak site indicate some amount of geographical focus, with the main countries targeted being Germany, Italy, Taiwan, and France.
SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against ransomware attacks. And, in case of a ransomware attack, contact our ransomware recovery experts immediately.
What kind of malware is CloAk?
Cloak or CloAk ransomware is a type of malware that encrypts a victim’s data and demands a ransom payment in exchange for the decryption key. The Cloak ransomware group has a known extortion site where they sell and leak data from their victims.
The ransomware also attempts to remove volume shadow copies (VSS) using the vssadmin.exe delete shadows /all /quiet command. The affected files are renamed with the .crYptA or .crYptB extensions post-encryption, and this pattern can extend up to .crYptE following the alphabet in series with the final letter in the extension. The ransomware also delays the execution of the payload via the hidden command: ¬/c TIMEOUT /T.
Everything we know about CloAk Ransomware
Confirmed Name
- CloAk virus
Threat Type
- Ransomware
- Crypto Virus
- Files locker
- Double extortion
Encrypted Files Extension
- .crYptA
- .crYptB
- .crYptC
- .crYptD
- .crYptE
Ransom Demanding Message
- readme_for_unlock.txt
Is There a Free Decryptor Available?
No, there’s no public decryptor for CloAk ransomware.
Distribution methods
- Social engineering
- Malvertising
- Exploit Kits
- Malvertising
- Remote Desktop Protocol (RDP)
- Stolen credentials
- Drive-By Download
- Pirated Software
Consequences
- Files are encrypted and locked until the ransom payment
- Data leak
- Double extortion
What is in the CloAk ransom note
Cloak ransomware displays a ransom message, named readme_for_unlock.txt, demanding payment in exchange for the decryption key. The ransom message is designed to intimidate the victim into paying the ransom.
Sample of the CloAk ransom note content:
![!!! ATTENTION !!! Your network is hacked and files are encrypted. Including the encrypted data we also downloaded other confidential information: Data of your employees, customers, partners, as well as accounting and other internal documentation of your company. All data is stored until you will pay. After payment we will provide you the programs for decryption and we will delete your data. If you refuse to negotiate with us (for any reason) all your data will be put up for sale. What you will face if your data gets on the black market: 1) The personal information of your employees and customers may be used to obtain a loan or purchases in online stores. 2) You may be sued by clients of your company for leaking information that was confidential. 3) After other hackers obtain personal data about your employees, social engineering will be applied to your company and subsequent attacks will only intensify. 4) Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. 5) You will forever lose the reputation. 6) You will be subject to huge fines from the government. You can learn more about liability for data loss here: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation https://gdpr-info.eu/ Courts, fines and the inability to use important files will lead you to huge losses. The consequences of this will be irreversible for you. Contacting the police will not save you from these consequences, but will only make your situation worse. You can get out of this situation with minimal losses To do this you must strictly observe the following rules: DO NOT Modify, DO NOT rename, DO NOT copy, DO NOT move any files. Such actions may DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it may also DAMAGE files. DO NOT Shutdown or Reboot the system this may DAMAGE files. DO NOT hire any third party negotiators (recovery/police, etc.) You need to contact us as soon as possible and start negotiations. Instructions for contacting our team: Download & Install TOR browser: https://torproject.org For contact us via LIVE CHAT open our > Website: http://47h4pwve4scndaneljfnxdhzoulgsyfzbgayyonbwztfz74gsdprz5qd.onion > Login: [snip] > Password: [snip] If Tor is restricted in your area, use VPN If you have any problems with LIVE CHAT you can send a message here: > Email:](https://www.salvagedata.com/wp-content/uploads/2023/10/CloAk-ransom-note.png)
If you realize you’re a ransomware victim, contacting SalvageData ransomware removal experts provides you with a secure data recovery service and ransomware removal after an attack.
How does CloAk ransomware infect a machine or network?
Social Engineering
Phishing is the most common method used by ransomware groups to infect systems. The attacker sends an email that appears to be from a legitimate source, such as a bank or a shipping company, and tricks the victim into clicking on a link or downloading an attachment that contains the ransomware.
Malvertising and Exploit Kits
Malvertising is the use of online advertising, that appears to be legit, to spread malware. Exploit kits are pre-packaged software that can be used to exploit vulnerabilities in a system.
Remote Desktop Protocol (RDP)
Attackers can use known vulnerabilities or brute force attacks to gain access to a system through RDP. Once they have access, they can install ransomware on the system.
Drive-By Downloads
This is a method where attackers infect a website with malware. When a victim visits the website, the malware is downloaded onto their system without their knowledge.
Pirated Software
Attackers can infect pirated software with ransomware and distribute it through torrent sites or other file-sharing platforms.
How does CloAk ransomware work
Initial Access
The cyber actor gains access to the network or machine using various methods such as social engineering, malvertising, exploit kits, remote desktop protocol (RDP), stolen credentials, drive-by downloads, or pirated software.
Reconnaissance
Once the attacker gains access, they proceed to reconnaissance to identify the target’s network and devices.
Lateral Movement
The attacker moves laterally across the network to gain access to all devices and systems.
Exfiltration
The attacker exfiltrates data from the network or machine, which is then used to threaten the victim into paying the ransom.
Deployment of Ransomware
The attacker deploys the Cloak ransomware payload to encrypt the victim’s data.
Ransom Demand and Data Leaks
The ransomware displays a message to the victim, explaining that files are inaccessible and can only be accessed again upon paying a ransom to the attackers.
The Cloak ransomware group has a known extortion site where they sell and leak data from their victims.
Do not pay the ransom! Contacting a ransomware removal service can not only restore your files but also remove any potential threat.
How to handle a CloAk ransomware attack
The first step to recovering from a CloAk attack is to isolate the infected computer by disconnecting it from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).
To report a ransomware attack you must gather every information you can about it, including:
- Screenshots of the ransom note
- Communications with threat actors (if you have them)
- A sample of an encrypted file
However, if you prefer to contact professionals, then do nothing. Leave every infected machine the way it is and ask for an emergency ransomware removal service. Restarting or shutting down the system may compromise the recovery service. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, i.e. file executing the malicious payload, might be reverse-engineered and lead to decryption of the data or understanding how it operates.
You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.
1. Contact your Incident Response provider
A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.
An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.
If you contact your IR service provider, they can take over immediately and guide you through every step in the ransomware recovery. However, if you decide to remove the ransomware yourself and recover the files with your IT team, then you can follow the next steps.
2. Identify the ransomware infection
You can identify which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), using a ransomware ID tool, or it will be on the ransom note. With this information, you can look for a public decryption key.
You can also check the ransomware type by its IOCs. Indicators of Compromise (IOCs) are digital clues that cybersecurity professionals use to identify system compromises and malicious activities within a network or IT environment. They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.
3. Remove the ransomware and eliminate exploit kits
Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.
4. Use a backup to restore the data
Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.
5. Contact a ransomware recovery service
If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup. If you don’t, ransomware data recovery services can help you decrypt and recover the files.
SalvageData experts can safely restore your files and prevent CloAk ransomware from attacking your network again. Contact our experts 24/7 for ransomware recovery services.
Prevent the CloAk ransomware attack
Preventing ransomware is the best solution for data security. is easier and cheaper than recovering from them. CloAk ransomware can cost your business’s future and even close its doors.
These are a few tips to ensure you can avoid ransomware attacks:
- Keep your operating system and software up-to-date with the latest security patches and updates. This can help prevent vulnerabilities that can be exploited by attackers.
- Use strong and unique passwords for all accounts and enable two-factor authentication whenever possible. This can help prevent attackers from gaining access to your accounts.
- Be cautious of suspicious emails, links, and attachments. Do not open emails or click on links or attachments from unknown or suspicious sources.
- Use reputable antivirus and anti-malware software and keep it up-to-date. This can help detect and remove malware before it can cause damage.
- Use a firewall to block unauthorized access to your network and systems.
- Network segmentation to divide a larger network into smaller sub-networks with limited interconnectivity between them. It restricts attacker lateral movement and prevents unauthorized users from accessing the organization’s intellectual property and data.
- Limit user privileges to prevent attackers from gaining access to sensitive data and systems.
- Educate employees and staff on how to recognize and avoid phishing emails and other social engineering attacks.
