Skip to content
Cloak Ransomware
Under attack by ransomware or suffering a cyber breach?
Speed is critical when facing a live cyber attack. If you believe you’ve been compromised, by the Cloak ransomware group or another threat actor - contact us immediately.
About Cloak ransomware group
First emerging in late 2022, Cloak Ransomware has quickly established itself as a serious and evolving threat within the cyber security landscape.
Once a system is infected, victims typically encounter a ransom notice similar to the one displayed here. The attacker, often a sophisticated threat actor, encrypts files and exfiltrates sensitive data, effectively holding both systems and information hostage. Victims are then extorted for payment, usually demanded in cryptocurrency such as Bitcoin, in exchange for decryption keys and the promise not to leak stolen data.
What we can help with:
- Encrypted files & ransomware data recovery
- Incident response and containment
- Secure data restoration and system recovery
- Use of ransomware decryption tools and data recovery software
- Development of incident response plans and disaster recovery solutions
- Post-incident reviews and security hardening
Request a call back
If your organisation has been infected with ransomware contact us immediately.
How Cloak operators work
Cloak Ransomware emerged in late 2022 and has quickly become a significant threat in the cyber security landscape. According to its Data Leak Site (DLS), the group has breached 23 databases from SMEs across industries including medical, real estate, construction, IT, food, and manufacturing, mainly in Europe, with Germany hit hardest.
Cloak’s origins remain unclear, but the group is known to purchase access through Initial Access Brokers (IABs), especially on Russian forums. It uses phishing, malvertising, exploit kits, RDP, stolen credentials, and pirated software to gain access to systems, often escalating privileges once inside.
The ransomware attack relies on double extortion: first stealing data, then encrypting it. Victims are forced to pay for encryption keys and to prevent data leaks. Cloak’s tactics and infrastructure show similarities to other ransomware groups, suggesting possible collaboration or shared tools.
We are equipped to deal with an attack from any ransomware group.
Don’t hesitate to contact us if you are under attack from a ransomware group not listed above.
Recognising a Cloak attack
Cloak ransomware employs double extortion tactics, encrypting the victim’s data to make it inaccessible while simultaneously exfiltrating sensitive information, including personal and corporate details. In addition to file encryption, Cloak also uses VHD extraction capabilities to steal large volumes of data efficiently.
The threat actors demand payment not only for providing encryption keys to restore access but also to prevent the stolen data from being published on the dark web. This dual threat significantly raises the stakes for victims, as even organisations with backups face the risk of their sensitive information being leaked.
Cloak’s strategy heavily relies on manipulating user actions, pressuring victims into paying the ransom to avoid severe consequences such as reputational damage and legal exposure. This approach has gained popularity among cybercriminals because it maximises their chances of receiving payment.
Why you must not interfere with your ransomware environment
If you discover a physical break-in at your offices, your first instinct would be to call the police; touch nothing and let them search for clues. Then, your focus would shift to restoring business operations.
A cyber-attack requires the same approach. Your digital environment is a CRIME SCENE. It is crucial to leave the environment untouched to allow for a forensic investigation.
This is not a task for your IT team or MSP. Digital Forensic specialists are available 24/7 to assist you, just like in a physical crime.
| description | Sector | Date Discovered | Attack Date | Country | Screenshot |
|---|---|---|---|---|---|
| [AI generated] N/A | Public Sector | 24/02/2026 11:32 AM | 24/02/2026 11:32 AM | US | - |
| Not Found | 24/02/2026 11:31 AM | 24/02/2026 11:31 AM | - | ||
| [AI generated] "Dinnebiergruppe.de" is a German company incorporated into the automobile industry. They are authorized dealers for major car brands including Mercedes-Benz, smart, Audi, Porsche, and Volkswagen Commercial Vehicles. The company offers a broad range of services including car sales, leasing, financing, insurance, and extensive car maintenance. Moreover, they are also involved in real estate management, hotel industry, and operate petrol stations. | Not Found | 19/02/2026 10:56 AM | 19/02/2026 10:56 AM | DE | - |
| Not Found | 03/02/2026 12:38 PM | 03/02/2026 12:38 PM | - | ||
| [AI generated] Fitzpatrick Hotels operates two boutique hotels in New York City, providing Irish-style hospitality to guests. Established in the late 20th century, the family-owned business primarily caters to those who value warmth, charm, and a touch of old-world elegance. Their hotels, Fitzpatrick Manhattan and Fitzpatrick Grand Central, boast a strategic location, iconic Irish pub-style restaurants, sophisticated amenities, and rooms. | Hospitality and Tourism | 30/12/2025 11:17 AM | 30/12/2025 11:17 AM | US | - |
| Technology | 19/12/2025 02:13 PM | 19/12/2025 02:13 PM | - | ||
| Not Found | 19/12/2025 02:13 PM | 19/12/2025 02:13 PM | - | ||
| Not Found | 18/11/2025 02:49 PM | 18/11/2025 02:49 PM | - | ||
| Not Found | 18/11/2025 02:49 PM | 18/11/2025 02:49 PM | - | ||
| Not Found | 16/10/2025 11:23 AM | 16/10/2025 11:23 AM | - | ||
| Not Found | 16/10/2025 11:23 AM | 16/10/2025 11:23 AM | - | ||
| [AI generated] N/A | Healthcare | 07/09/2025 07:11 AM | 07/09/2025 07:11 AM | US | - |
| Seit über dreißig Jahren betreuen Frank Hoffmann und Stephan Hofmann zuverlässig Mandanten an Rhein und Ruhr und aus dem Bergischen Land. | Business Services | 09/08/2025 07:43 AM | 09/08/2025 07:43 AM | DE | - |
| Not Found | 09/08/2025 07:43 AM | 09/08/2025 07:43 AM | - | ||
| Not Found | 09/08/2025 07:43 AM | 09/08/2025 07:43 AM | - | ||
| Not Found | 09/08/2025 07:43 AM | 09/08/2025 07:43 AM | BH | - | |
| Not Found | 09/08/2025 07:43 AM | 09/08/2025 07:43 AM | RO | - | |
| Not Found | 07/07/2025 02:51 PM | 07/07/2025 02:51 PM | BR | - | |
| Not Found | 07/07/2025 02:51 PM | 07/07/2025 02:51 PM | DE | - | |
| [AI generated] N/A | Public Sector | 27/06/2025 05:16 AM | 27/06/2025 05:16 AM | LK | - |
| Country: USA Views: 161 | Not Found | 06/06/2025 04:56 PM | 06/06/2025 04:56 PM | - | |
| Not Found | 06/05/2025 11:41 AM | 06/05/2025 11:41 AM | - | ||
| [AI generated] "Bosshard-farben.ch" is a Swiss company specializing in the sale of floor and wall paints. In addition to interior and exterior paints, they offer lacquers, glazes, plasters, and other painting supplies. They also provide additional products for floor, wall and ceiling design. Renowned for their comprehensive selection, they cater to both professional painters and DIY enthusiasts. | Manufacturing | 18/04/2025 02:25 PM | 18/04/2025 02:25 PM | CH | - |
| Not Found | 18/04/2025 02:25 PM | 18/04/2025 02:25 PM | LK | - | |
| Not Found | 18/04/2025 02:25 PM | 18/04/2025 02:25 PM | - | ||
| Not Found | 18/04/2025 02:25 PM | 18/04/2025 02:25 PM | GB | - | |
| Not Found | 18/04/2025 02:25 PM | 18/04/2025 02:25 PM | - | ||
| [IA generated] Swiss company specializing in the production of paints, varnishes, and glazes for building and wood protection, | Consumer Services | 06/04/2025 08:00 AM | 28/03/2025 12:00 AM | CH | - |
| [AI generated] N/A | Public Sector | 20/03/2025 03:25 PM | 20/03/2025 03:25 PM | US | - |
| [AI generated] "Wr-recht.de" is a German legal advisory firm that specializes in matters of insolvency law, commercial law, and general civil law. The company caters to both private individuals and businesses, offering effective and efficient legal services. They possess extensive experience in guiding clients through legal proceedings, ensuring optimal client representation. | Not Found | 20/03/2025 03:25 PM | 20/03/2025 03:25 PM | DE | - |
| [AI generated] Baltimore City Public Schools, also known as City Schools, is a public school district in Baltimore, Maryland, United States. It serves the youth of Baltimore and is committed to providing a comprehensive, high-quality education. The district includes elementary, middle, and high schools, and offers specialized programs and initiatives to support students' growth and development. | Education | 20/03/2025 03:24 PM | 20/03/2025 03:24 PM | - | |
| Not Found | 20/03/2025 03:24 PM | 20/03/2025 03:24 PM | PA | - | |
| Not Found | 20/03/2025 03:24 PM | 20/03/2025 03:24 PM | NL | - | |
| Not Found | 25/02/2025 03:21 PM | 25/02/2025 03:21 PM | - | ||
| [AI generated] Waggoner Engineering, founded in 1976, is a professional services firm with a focus on engineering, geospatial and consulting services. Their team of multidisciplinary professionals serve clients within sectors like government agencies, industrial organizations, and private sector clients. The key industries they work in include energy, environment, infrastructure, and technology. Their headquarters are in Jackson, Mississippi. | Not Found | 20/02/2025 04:23 PM | 20/02/2025 04:23 PM | US | - |
| Not Found | 20/02/2025 04:23 PM | 20/02/2025 04:23 PM | - | ||
| Not Found | 20/02/2025 04:23 PM | 20/02/2025 04:23 PM | DE | - | |
| Not Found | 20/02/2025 04:23 PM | 20/02/2025 04:23 PM | DE | - | |
| Not Found | 20/02/2025 04:23 PM | 20/02/2025 04:23 PM | US | - | |
| Not Found | 03/02/2025 03:19 PM | 03/02/2025 03:19 PM | CA | - | |
| Country: Spain Views: 69 View more /enova Public <100GB | Healthcare | 30/01/2025 07:01 PM | 30/01/2025 07:01 PM | - | |
| Country: USA Views: 53 View more /pac Public 156GB | Financial Services | 29/01/2025 07:28 PM | 29/01/2025 07:28 PM | - | |
| Country: germany Views: 106 View more /kaiser Public <100GB | Not Found | 28/01/2025 03:17 PM | 28/01/2025 03:17 PM | DE | - |
| Country: germany Views: 88 View more /neovita Public 227GB | Healthcare | 28/01/2025 03:16 PM | 28/01/2025 03:16 PM | DE | - |
| Bwfg.at Country: austria Views: 16 View more /bwfg Public 102GB | Financial Services | 23/01/2025 06:39 PM | 23/01/2025 06:39 PM | AT | - |
| Country: USA Views: 0 View more /hidden_113 Private 156GB | Not Found | 21/01/2025 04:28 PM | 21/01/2025 04:28 PM | - | |
| Country: USA Views: 0 View more /hidden_114 Private | Not Found | 21/01/2025 04:28 PM | 21/01/2025 04:28 PM | - | |
| Country: Italy Views: 0 View more /hidden_115 Private 271GB | Not Found | 21/01/2025 04:28 PM | 21/01/2025 04:28 PM | - | |
| Mai***********.de Country: germany Views: 1 View more /hidden_112 Private <100GB | 30/12/2024 09:42 PM | 30/12/2024 09:42 PM | DE | - | |
| bac***********.com.au Country: Australia Views: 2 View more /hidden_111 Private <100GB | 30/12/2024 09:42 PM | 30/12/2024 09:42 PM | AU | - | |
| Ponoka.ca Country: Canada Views: 52073 View more /ponoka Public 110GB | Government | 30/12/2024 09:42 PM | 30/12/2024 09:42 PM | CA | - |
| Kai*************.de Country: germany Views: 0 View more /hidden_109 Private <100GB | 20/12/2024 06:11 AM | 20/12/2024 06:11 AM | DE | - | |
| Country: germany Views: 0 View more /hidden_110 Private 227GB | 20/12/2024 06:11 AM | 20/12/2024 06:11 AM | DE | - | |
| [AI generated] Fmp.gob.pe refers to the Fondo MIVIVIENDA, a Peruvian government initiative aimed at facilitating access to affordable housing. It provides financial products and services to support homeownership, particularly for low- and middle-income families. The organization focuses on promoting sustainable urban development and improving living conditions through accessible mortgage loans and housing programs. | Government | 20/12/2024 06:11 AM | 20/12/2024 06:11 AM | PE | - |
| Ukh-hof.de Country: Germany Views: 56 View more /ukh Public <100GB | Healthcare | 10/12/2024 10:28 PM | 10/12/2024 10:28 PM | DE | - |
| Orthopaedie-hof.de Country: Germany Views: 51 View more /ortho Public <100GB | Healthcare | 10/12/2024 10:28 PM | 10/12/2024 10:28 PM | DE | - |
| N************.uk Country: United Kingdom Views: 0 View more /hidden_108 Private 125GB | Not Found | 10/12/2024 10:28 PM | 10/12/2024 10:28 PM | GB | - |
| Country: USA Views: 61 View more /donne Public <100GB | Business Services | 05/12/2024 09:14 AM | 04/12/2024 12:00 AM | US | - |
| Not Found | 30/11/2024 07:41 PM | 06/11/2024 10:02 AM | - | ||
| Not Found | 30/11/2024 07:41 PM | 06/11/2024 10:02 AM | - | ||
| Financial | 30/11/2024 07:41 PM | 06/11/2024 10:02 AM | FR | - | |
| Globalresultspr.com Country: USA Public 123GB | Business Services | 30/11/2024 07:41 PM | 19/11/2024 05:16 PM | US | - |
| don****************.com Country: USA Private <100GB | Not Found | 30/11/2024 07:41 PM | 16/11/2024 05:16 AM | US | - |
| F************.pe Country: Peru Private 221GB | Not Found | 30/11/2024 07:41 PM | 16/11/2024 05:16 AM | PE | - |
| Country: Germany Views: 0 Private <100GB | Not Found | 30/11/2024 07:41 PM | 28/11/2024 05:22 PM | DE | - |
| Country: Germany Views: 0 Private <100GB | Not Found | 30/11/2024 07:41 PM | 28/11/2024 05:22 PM | DE | - |
| Country: Germany Views: 0 Private 134GB | Not Found | 30/11/2024 07:41 PM | 28/11/2024 05:23 PM | DE | - |
| Country: Austria Views: 0 Private 122GB | Not Found | 30/11/2024 07:41 PM | 28/11/2024 05:24 PM | AT | - |
| Country: Ireland | Not Found | 22/10/2024 07:51 PM | 22/10/2024 07:51 PM | IE | - |
| Country: USA | Transportation/Logistics | 26/09/2024 06:56 PM | 26/09/2024 06:56 PM | US | - |
| Country: italy | Not Found | 26/09/2024 06:56 PM | 26/09/2024 06:56 PM | IT | - |
| Country: USA | Healthcare | 25/09/2024 01:26 PM | 25/09/2024 01:26 PM | US | - |
| Country: germany | Healthcare | 19/09/2024 08:03 PM | 19/09/2024 08:03 PM | DE | - |
| Country: USA | Business Services | 03/09/2024 08:02 PM | 03/09/2024 08:02 PM | US | - |
| Country: USA | Business Services | 03/09/2024 08:02 PM | 03/09/2024 08:02 PM | US | - |
| Country: germany | Business Services | 03/09/2024 08:02 PM | 03/09/2024 08:02 PM | DE | - |
| Country: USA | Financial | 23/08/2024 06:53 AM | 23/08/2024 06:53 AM | US | - |
| Country: United Kingdom | Manufacturing | 21/08/2024 05:46 PM | 21/08/2024 05:46 PM | GB | - |
| Country: Denmark | Business Services | 21/08/2024 05:46 PM | 21/08/2024 05:46 PM | DK | - |
| Country: germany | Business Services | 21/08/2024 05:44 PM | 21/08/2024 05:44 PM | DE | - |
| Country: United Kingdom | Manufacturing | 21/08/2024 05:42 PM | 21/08/2024 05:42 PM | GB | - |
| Country: France | Not Found | 14/08/2024 04:29 PM | 14/08/2024 04:29 PM | FR | - |
| Country: Cyprus | Technology | 14/08/2024 04:29 PM | 14/08/2024 04:29 PM | CY | - |
| Country: USA | Not Found | 05/08/2024 05:47 PM | 05/08/2024 05:47 PM | US | - |
| Country: United Kingdom | Business Services | 01/08/2024 08:05 AM | 01/08/2024 08:05 AM | GB | - |
| Country: USA | Manufacturing | 27/07/2024 08:40 AM | 27/07/2024 08:40 AM | US | - |
| Country: germany | Business Services | 22/07/2024 08:50 AM | 22/07/2024 08:50 AM | DE | - |
| Country: United Kingdom | Technology | 22/07/2024 08:50 AM | 22/07/2024 08:50 AM | GB | - |
| Country: USA | Technology | 22/07/2024 08:50 AM | 22/07/2024 08:50 AM | US | - |
| Country: USA | Technology | 15/07/2024 12:00 PM | 15/07/2024 12:00 PM | US | - |
| Country: Denmark | Business Services | 15/07/2024 12:00 PM | 15/07/2024 12:00 PM | DK | - |
| Country: USA | Government | 04/07/2024 02:21 PM | 04/07/2024 02:21 PM | US | - |
| Country: United Kingdom | Business Services | 04/07/2024 02:21 PM | 04/07/2024 02:21 PM | GB | - |
| Country: Poland | Business Services | 30/06/2024 06:19 PM | 30/06/2024 06:19 PM | PL | - |
| Country: USA | Not Found | 30/06/2024 06:19 PM | 30/06/2024 06:19 PM | US | - |
| Country: USA | Business Services | 27/06/2024 09:00 AM | 27/06/2024 09:00 AM | US | - |
| Country: germany | Manufacturing | 27/06/2024 09:00 AM | 27/06/2024 09:00 AM | DE | - |
| Country: spain | Transportation/Logistics | 14/06/2024 07:01 AM | 14/06/2024 07:01 AM | ES | - |
| Country: USA | Not Found | 14/06/2024 07:01 AM | 14/06/2024 07:01 AM | US | - |
| Country: USA | Not Found | 07/06/2024 08:37 AM | 07/06/2024 08:37 AM | US | - |
| Country: germany | Business Services | 21/05/2024 06:04 AM | 21/05/2024 06:04 AM | DE | - |
| Country: germany | Business Services | 16/05/2024 02:15 PM | 16/05/2024 02:15 PM | DE | - |
| Country: Colombia | Not Found | 04/05/2024 08:47 AM | 04/05/2024 08:47 AM | CO | - |
| Country: germany | Not Found | 04/05/2024 08:47 AM | 04/05/2024 08:47 AM | DE | - |
| Country: Hungary | Business Services | 29/04/2024 07:06 AM | 29/04/2024 07:06 AM | HU | - |
| Country: Switzerland | Technology | 27/04/2024 10:30 AM | 27/04/2024 10:30 AM | CH | - |
| Country: USA | Not Found | 14/04/2024 04:28 PM | 14/04/2024 04:28 PM | US | - |
| Country: USA | Transportation/Logistics | 11/04/2024 08:23 PM | 11/04/2024 08:23 PM | US | - |
| Country: USA | Healthcare | 11/04/2024 08:23 PM | 11/04/2024 08:23 PM | US | - |
| Country: germany | Transportation/Logistics | 08/04/2024 08:34 AM | 08/04/2024 08:34 AM | DE | - |
| Country: spain | Technology | 08/04/2024 08:34 AM | 08/04/2024 08:34 AM | ES | - |
| Country: United Kingdom | Technology | 08/04/2024 08:34 AM | 08/04/2024 08:34 AM | GB | - |
| Country: germany | Not Found | 24/03/2024 01:52 PM | 24/03/2024 01:52 PM | DE | - |
| Country: germany | Business Services | 24/03/2024 01:52 PM | 24/03/2024 01:52 PM | DE | - |
| Country: Brasil | Energy | 24/03/2024 01:52 PM | 24/03/2024 01:52 PM | BR | - |
| Country: ******** | Not Found | 18/03/2024 09:03 PM | 18/03/2024 09:03 PM | - | |
| Country: Canada | Business Services | 12/03/2024 01:31 PM | 12/03/2024 01:31 PM | CA | - |
| Country: Canada | Government | 03/03/2024 08:43 AM | 03/03/2024 08:43 AM | CA | - |
| Country: Canada | Business Services | 23/02/2024 03:25 PM | 23/02/2024 03:25 PM | CA | - |
| Country: USA | Not Found | 20/02/2024 11:21 PM | 20/02/2024 11:21 PM | US | - |
| Country: USA | Not Found | 20/02/2024 11:20 PM | 20/02/2024 11:20 PM | US | - |
| Country: germany | Transportation/Logistics | 20/02/2024 11:20 PM | 20/02/2024 11:20 PM | DE | - |
| Country: USA | Manufacturing | 12/02/2024 06:54 PM | 12/02/2024 06:54 PM | US | - |
| Country: USA | Not Found | 12/02/2024 06:54 PM | 12/02/2024 06:54 PM | US | - |
| Country: germany | Not Found | 12/02/2024 06:54 PM | 12/02/2024 06:54 PM | DE | - |
| Country: germany | Business Services | 01/02/2024 11:09 PM | 01/02/2024 11:09 PM | DE | - |
| Country: USA | Technology | 24/01/2024 04:12 PM | 24/01/2024 04:12 PM | US | - |
| Country: USA | Technology | 06/01/2024 01:52 PM | 06/01/2024 01:52 PM | US | - |
| Country: USA | 27/12/2023 12:50 PM | 27/12/2023 12:50 PM | US | - | |
| Country: USA | 27/12/2023 12:50 PM | 27/12/2023 12:50 PM | US | - | |
| Country: USA | 13/12/2023 11:25 PM | 08/12/2023 12:00 AM | US | - | |
| Country: USA | 08/12/2023 01:30 PM | 08/12/2023 01:30 PM | US | - | |
| Country: germany | 01/12/2023 01:20 PM | 01/12/2023 01:20 PM | DE | - | |
| Country: Saint Kitts and Nevis | 01/12/2023 01:20 PM | 01/12/2023 01:20 PM | KN | - | |
| Country: Italy | 01/12/2023 01:20 PM | 01/12/2023 01:20 PM | IT | - | |
| Country: USA | 01/12/2023 01:20 PM | 01/12/2023 01:20 PM | US | - | |
| Country: United Kingdom | 01/12/2023 01:20 PM | 01/12/2023 01:20 PM | GB | View' rel='' target='_self'>View | |
| Country: Canada | 01/12/2023 01:20 PM | 01/12/2023 01:20 PM | CA | - | |
| Country: germany | 24/08/2023 07:42 AM | 24/08/2023 07:42 AM | DE | - | |
| Country: italia | 24/08/2023 07:42 AM | 24/08/2023 07:42 AM | - | ||
| Country: germany | 24/08/2023 07:42 AM | 24/08/2023 07:42 AM | DE | - | |
| Country: france | 24/08/2023 07:42 AM | 24/08/2023 07:42 AM | FR | - | |
| Country: germany | 24/08/2023 07:42 AM | 24/08/2023 07:42 AM | DE | - | |
| Country: holland | 24/08/2023 07:42 AM | 24/08/2023 07:42 AM | - | ||
| Country: Thailand | 24/08/2023 07:42 AM | 24/08/2023 07:42 AM | TH | - | |
| Country: germany | 24/08/2023 07:42 AM | 24/08/2023 07:42 AM | DE | - | |
| Country: italia | 24/08/2023 07:42 AM | 24/08/2023 07:42 AM | - | ||
| Country: taiwan | 24/08/2023 07:42 AM | 24/08/2023 07:42 AM | TW | - | |
| Country: Mexico | 24/08/2023 07:42 AM | 24/08/2023 07:42 AM | MX | - | |
| Country: taiwan | 24/08/2023 07:42 AM | 24/08/2023 07:42 AM | TW | - | |
| Country: Saud Arabia | 24/08/2023 07:42 AM | 24/08/2023 07:42 AM | AE | - | |
| country: Indonesia | 24/08/2023 07:41 AM | 24/08/2023 07:41 AM | ID | - | |
| Country: germany | 24/08/2023 07:41 AM | 24/08/2023 07:41 AM | DE | - | |
| Country: USA | 24/08/2023 07:41 AM | 24/08/2023 07:41 AM | US | - | |
| Country: Canada | 24/08/2023 07:41 AM | 24/08/2023 07:41 AM | CA | - | |
| Country: italia | 24/08/2023 07:41 AM | 24/08/2023 07:41 AM | IT | - | |
| Country: UAE | 24/08/2023 07:41 AM | 24/08/2023 07:41 AM | - | ||
| Country: United Kingdom | 24/08/2023 07:41 AM | 24/08/2023 07:41 AM | GB | - | |
| Country: Bahrain | 24/08/2023 07:41 AM | 24/08/2023 07:41 AM | BH | - | |
| Country: France | 24/08/2023 07:41 AM | 24/08/2023 07:41 AM | FR | View' rel='' target='_self'>View | |
| Country: Burkina Faso | 24/08/2023 07:40 AM | 24/08/2023 07:40 AM | BF | View' rel='' target='_self'>View | |
| Country: USA | 24/08/2023 07:39 AM | 24/08/2023 07:39 AM | US | View' rel='' target='_self'>View |
Known threat actors
Ransomware groups behind the attacks
Below is a breakdown of the most active ransomware groups and the variants driving their attacks.
Post breach actions
-
Call a NCSC Cyber Incident Response approved supplier Some NCSC providers will fund up to 48 hours of investigation into your incident.
-
Report the incident to Report Fraud
-
Locate your business continuity plan Work out what you can do without access to your systems and data.
-
Identify your business insurance contact details
Who are we and what experience do we have in responding to cyber incidents?
We are accredited to ISO 27001 and recognised by the UK’s National Cyber Security Centre (NCSC).
We provide comprehensive cyber risk management services, with a core focus on Digital Forensics and Incident Response (DFIR). Our capabilities are driven by a 24/7 Security Operations Centre and a dedicated in-house intelligence team that delivers timely, actionable threat reporting.
With decades of collective cyber security experience, we have the expertise to assume operational ownership of your entire IT security architecture – simplifying and strengthening cyber security across your business.
As an Assured Service Provider for Cyber Incident Response (CIR) at the Standard Level. This accreditation demonstrates our ability to deliver high-assurance, effective support in response to a wide range of cyber threats.
Your NCSC-approved supplier is a specialist crime scene investigator who will:
- Isolate and preserve your environment for forensic investigation.
- Identify where the data has been duplicated and issue a legal takedown order.
- Identify your data, application and systems restore points. These might be at different points in time and will need to be carefully restored and reconstructed in a pristine environment.
- Liaise with your business insurance company and if needed, with the Police.
- Advise you on notifying your customers of your situation.
- Rebuild your systems, restore your data and get you back to full operation. Note: This process can take between 2 weeks – 2 months.
Working with us
Our response process
Our team are ransomware recovery specialists with a proven, streamlined approach to resolving incidents quickly and effectively.
Step 1: Triage
We deploy our incident response team the same day. From the first call, we begin onboarding, introduce key stakeholders, set communication schedules, and start gathering critical information to guide the response.
Step 2: Investigation
DFIR (Digital Forensic Incident Response) teams investigate breaches to identify vulnerabilities, attack vectors, and system impacts from ransomware such as Data Loss (PII). We deliver clear forensic insights to guide mitigation.
Step 3: Contain
Our onsite and remote teams act fast to stop the attack in its tracks. That includes isolating affected systems, removing malicious code, and putting protections in place to prevent further spread or damage.
Step 4: Remediate & Eradicate
Once contained, we work to fully eliminate the threat. This includes fixing exploited vulnerabilities, restoring systems to a secure state, and ensuring no traces of the attack remain.
Step 5: Recover
Our incident response teams help get your business back to normal. We restore access to systems, recover data, and ensure services are safe, stable, and functioning, with minimal downtime.
Step 6: Post Incident
We conduct a full review of the incident response and recovery efforts. Together we assess what happened, what worked, and what can be improved, helping you build stronger defences for the future.
Forensic analysis to drive recovery
Our process includes a thorough digital forensic analysis from step two where the output becomes a central component of business recovery. This is because understanding the attack is of critical importance:
Informing an initial infection date
The extent and spread of infection
Data exfiltration having an impact on regulatory positions
Ensuring that the attacker and any tooling or artefacts they leave behind are eradicated
It is critical that the analysis of digital evidence is carried out to an agreed plan.
Maximising early root cause discovery and legal leverage
The process is purpose-built to uncover the root cause as early as possible, which is essential to inform remediation / eradication and recovery as well as supporting a legal take-down case if this is applicable. A legal take-down means we can assist in the legal enforcement that stops the criminals from publishing the data, thus undermining the ransom notice.
Our Digital Forensic and Incident Response (DFIR) teams maintain consistent communication throughout. Dedicated Incident Managers and technical engineering leads provide updates during the Cyber Incident Response journey, utilising risk registers and working within change management processes, all from triage through to post-incident, delivering successful business recovery.
Key take aways
- You will not be able to access your systems or data.
- It is advised to disconnect from the internet and shut down your systems, including PCs, to prevent further infections.
- Your Office 365 system might also be compromised, allowing the attackers to monitor your responses. Avoid communicating with individuals through your primary email or team systems.
- Threat actors typically infiltrate your system at least 2-4 weeks before you become aware of the attack. Your data will have already been exfiltrated. If your system is encrypted, this was not an overnight event.
- Ransom demands in the UK typically range from £500,000 to £3 million, with some sectors, like education, facing demands that exceed £5 million
- Paying the ransom may violate financial sanctions, which is a criminal offence and could result in a custodial sentence or further financial penalties.
- If your data is sold or published online, it puts your customers and staff at risk, potentially implicating you in a Data Protection breach.
- You will need to submit a data takedown request to the initial location where the data was transferred.
- Do not overwrite the encrypted data. It is crucial to determine when the infection began and where the data was sent.
- Avoid rebuilding from the latest backup, as it is likely to be infected.
Why should I trust Zensec to do this work rather than my IT team?
A forensic analysis needs to be meticulous and a clean restore and recovery requires a wealth of experience not normally available in an in-house team who must provide a broader range of IT support skills:
Internal IT teams don’t have the necessary skill set to resolve security encryption issues themselves.
IT teams may recover to the same position with indicators of compromise ready to do it again… which can lead to another breach.
Internal teams are pressured to restore business operations and may recover before forensic analysis even begins, potentially destroying the crime scene before completion.
We can help
Frequently asked questions
Key information when you’re under pressure.
Yes. Cloak is a form of ransomware, malicious software that encrypts a victim's data and demands payment for the decryption key. The attack typically begins with a phishing email, malicious ad, or drive-by download, which delivers the ransomware payload to the system.
Once executed, Cloak, believed to be an Arcrypter variant, may modify registry entries to maintain persistence, disable security tools, and launch its encryption process. It also attempts to delete volume shadow copies to prevent data recovery. Victims usually discover the attack through ransom notes left on the desktop or within affected directories. Users may notice unusual system behavior, such as disabled antivirus or restricted access to Task Manager.
The group behind Cloak operates a public extortion site where they leak or sell stolen data if the ransom isn't paid.
Cloak ransomware may have entered your system through several common attack vectors, including:
Phishing emails
Initial Access Brokers (IABs) selling compromised credentials
Exploited system vulnerabilities
Drive-by downloads or malicious ads
Weak user controls enabling privilege escalation mechanisms
To reduce the risk of future infections, we recommend the following best practices:
Educate staff regularly on cybersecurity awareness
Enforce strong, unique passwords
Implement multi-factor authentication across all accounts
Remove inactive or unnecessary user accounts
Perform regular, secure backups and test them
Apply software and system updates promptly
Monitor user activity for signs of abnormal or unauthorized access
After recovering from a Cloak ransomware incident, Solace Cyber strongly recommends updating your business continuity and incident response plans to reflect the lessons learned during the attack and recovery process.
Facing genuine pressure, there's a crucial decision to make - one that could rescue your organisation from weeks of operational standstill, reputation damage, and client data loss. Yet, the probability of a favourable outcome remains slim, emphasising the importance of engaging a specialised ransomware incident response team. They are your most viable recourse for navigating a ransomware incident.
The NCSC have documented the deliberations for paying ransomware: https://www.ncsc.gov.uk/ransomware/home
Important Reminder: It is a criminal offense to pay money to people who are subject to financial sanctions. The list of who is subject to financial sanctions is constantly changing.
The latest iteration can be found here: https://www.gov.uk/government/publications/financial-sanctions-consolidated-list-of-targets
A ransomware attack presents the most significant threat to your business by:
- Disabling your access to systems, which could hinder machinery operation or impede progress through your business processes.
- Blocking access to critical data concerning suppliers, shipments, customers, orders, or steps in your business workflow.
In the event of a business interruption, identifying your position in the supply chain and sustaining operations can be challenging. If the disruption continues, maintaining business continuity becomes critical. Once systems and data are restored, addressing backlogs and establishing future operational protocols are essential.
Ransomware ranks only behind receivership in terms of its capacity to incapacitate a business.
The NCSC is the UK National Cyber Security Centre. They provide cyber security guidance and support, helping to make the UK the safest place to live and work online. They have defined a Cyber Incident Response procedure and they have approved and accredited suppliers to provide this service.
As a recognised Assured Service Provider by the National Cyber Security Centre (NCSC), Zensec provide comprehensive cyber risk management services that are designed to Protect, Detect & Mitigate cyber security threats across the UK.
Report Fraud is the UK's national reporting centre for fraud and cybercrime. Whether you have been scammed, defrauded, or experienced cybercrime in England, Wales, or Northern Ireland, Report Fraud offers a central point of contact for information on fraud and financially motivated cybercrime.
https://www.reportfraud.police.uk/https://www.actionfraud.police.uk/
Initial Access Brokers are cybercriminals who specialise in gaining unauthorised access to corporate networks, which they then sell or rent to other threat actors. This access often includes compromised credentials, VPN connections, or remote desktop protocol (RDP) endpoints.
A ransomware attack is a type of cyber crime where malicious software encrypts a victim’s data, making it inaccessible. The attacker then demands a ransom, often in cryptocurrency, in exchange for a decryption key. Many modern ransomware attacks also involve stealing data to increase pressure on the victim (a tactic known as double extortion).
Dealing with a ransomware attack?
Our ransomware recovery service can help
Our expert team works quickly to contain the breach, recover your data, and restore your systems to full operation. We’ll guide you through every step of the recovery process and help strengthen your defences to prevent future attacks. Regain control with Zensec - trusted support when it matters most.