What to do if you're hit by ransomware?

Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:

1
Do NOT fix it yourself
2
Disconnect affected systems
3
Call us +1 332 331 8700

Contact us now for urgent ransomware response assistance, 24/7

Get Help Now
Frame

Experts. Finalists. Winners.

Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.

Momentum Leader in MDR

Best Support in MDR & IR

Managed Detection and Response (MDR)

Top Cybersecurity Company 
2025

Best Managed Detection and Response Service

#4 of 184 teams Splunk Boss of the SOC

Best Of Cybersecurity Awards for Q1 2025

AWS Partner

Splunk Manage Premier Partner

Image (11) (1)

Why you shouldn’t attempt 
to fix it alone

Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.

Taking the right steps in the first moments after a Cloak attack can make a huge difference and help you make a full recovery. Request 24/7 Cloak ransomware recovery services to decrypt your data and maximize your chances of restoring operations.

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Cloak ransomware statistics & facts

Cloak Decryptor
Cloak IOCs
Cloak Attack Vectors
Case Outcomes
How to Remove Cloak Ransomware
How to Recover from Cloak Ransomware
Ransom Amounts
Cloak Decryptor

No public decryptor is available for Cloak ransomware. Curve25519 cryptography is resistant to brute-force attacks. Recovery depends on offline backups or forensic recovery of the private key from attacker systems—neither typically feasible for SMB victims.

Cloak IOCs

Search for .crYptA, .crYptB file extensions across file systems, ransom note filenames containing “CLOAK” or “readme_for_unlock”, and process execution of legitimate encryption tools being abused for encryption (PowerShell, openssl commands).

File Extensions
.crYptA, .crYptB, .crYptC, .crYptD, .crYptE (sequential extension per infection wave)

Ransom Note Filenames
readme_for_unlock.txt, CLOAK_README.txt, readme.txt (variant-dependent)

Cloak Hashes
SHA256 hashes vary significantly across samples. Known executables associated with ARCrypter family are documented in threat intelligence databases. Signature-based detection is unreliable; behavioral detection of Curve25519 operations is required.

Cloak Tools
Reconnaissance: OSINT on target organization, web application scanning (likely via Shodan or public databases)
Persistence: Likely via compromised credentials from IAB access rather than custom persistence mechanisms
Lateral Movement: SMB shares, RDP (if credentials obtained), privileged access tools
Credential Dumping: Mimikatz or credential access from compromised IAB connection
Encryption: Custom HC-128 implementation compiled per campaign

Most Common Red Flag
Sudden appearance of .crYptA files across SMB shares, combined with readme_for_unlock.txt or CLOAK_README.txt appearing in user directories. Often preceded by suspicious remote access activity (RDP or SSH) from IAB operators weeks prior to encryption.

Cloak Attack Vectors

Attack vector

% of Cloak incidents

Notes

IAB-Provided Credentials

60%

Initial Access Brokers selling compromised credentials from breaches

Phishing (Targeted)

25%

Spear-phishing specific employees with malicious attachments

Unpatched Web Applications

10%

SQL injection, default credentials in exposed admin panels

Weak RDP Credentials

5%

Brute-force or credential spray against internet-facing RDP

Powered By WP Table Builder
Case Outcomes

A German manufacturing firm paid 50,000 EUR; data was later found on three separate dark web forums despite gang claims of deletion. One Italian municipality negotiated payment to zero after threatening to report to authorities. Estimated 30+ confirmed victims across 2023-2024 with limited victim cooperation on disclosure.

How to Remove Cloak Ransomware

Isolate infected systems from network immediately. Scan for .crYptA/.crYptB extensions and delete ransom note files. Reset all domain and local credentials system-wide, assuming compromise. Restore from offline backups verified clean prior to encryption event. Do not attempt to negotiate with the gang or use recovered encryption tools—the gang does not honor deletion promises.

How to Recover from Cloak Ransomware

Complete restoration from offline backups is the only reliable recovery method. Assume all credentials compromised; implement new administrative accounts with strong passphrases and MFA. Segment network to prevent lateral movement in case re-infection occurs. Monitor logs for IAB activity patterns for 6 months post-recovery (unusual RDP logins, credential access, SMB enumeration).

Ransom Amounts

Cloak demands typically range from 10,000 to 500,000 EUR depending on victim organization size and perceived ability to pay. SMBs often receive lower demands. Negotiation is possible; reported settlement rates are 30-50% of initial ransom demand, suggesting the gang inflates initial demands.

Our customers say it best

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Frequently asked questions

What Is Cloak Ransomware?

Cloak is a double-extortion ransomware variant believed to be linked to the ARCrypter ransomware family, targeting SMBs primarily in Europe. The ransomware uses Curve25519 elliptic curve cryptography and HC-128 stream cipher for encryption, making files cryptographically unrecoverable without the private key. The group operates a public leak site and shares data exfiltration infrastructure with other ransomware variants, suggesting loose collaboration within criminal networks.

Where Is Cloak Based?

Geographic targeting of European SMBs and language expertise suggest the gang operates from Europe itself, possibly Eastern Europe or the EU. No definitive attribution has been published, but operational patterns indicate familiarity with European business practices and banking systems. The gang has not claimed nation-state affiliation or public attribution.

How Does Cloak Attack?

Cloak typically gains initial access through Initial Access Brokers selling compromised credentials from prior breaches or password reuse attacks. Attackers establish persistence via compromised RDP or SMB credentials, conduct internal reconnaissance to identify high-value data, exfiltrate files, and then deploy the ransomware encryptor. The HC-128 encryption is fast and does not trigger excessive CPU usage, allowing silent operation during business hours.

How Long Do Cloak Attacks Last?

From initial compromise to ransom note delivery, Cloak attacks average 2-4 weeks of dwell time for reconnaissance and data exfiltration. Some incidents show acceleration if the gang detects active monitoring. Encryption deployment is rapid once data is secured, typically occurring within 24-48 hours of data transfer completion.

Can Cloak Files Be Decrypted?

No public decryptor exists for Cloak ransomware. Curve25519 elliptic curve cryptography is mathematically secure against known attacks. Recovery requires either offline backups or payment of ransom, though the gang’s track record of actually deleting data after payment is poor—victims report their data appearing on multiple dark web forums weeks or months after ransom payment.

What Happens After Cloak Encryption?

All encrypted files become inaccessible, and the gang threatens public exposure of exfiltrated data on their leak site and partner forums if ransom is not paid within 7-14 days. For SMBs, operational disruption is severe—customer data loss, business email compromise, and regulatory violations (GDPR in Europe) create cascading liability. The gang often extends deadlines for negotiation.

How Can Organizations Prevent Cloak?

Assume IAB credentials are compromised and implement credential rotation quarterly for administrative accounts. Disable RDP on internet-facing systems; use jump hosts with strict access logging instead. Enable MFA on all remote access and administrative accounts. Monitor SMB share access for unusual patterns (bulk file reads, writes to system shares). Maintain offline, encrypted backups with integrity verification. Conduct regular security awareness training to reduce phishing click rates.

Cloak Prevention Checklist

– Disable or restrict internet-facing RDP; use VPN with MFA instead
– Implement conditional access policies to block risky sign-ins
– Enable MFA on all administrative and email accounts
– Monitor SMB file access logs for bulk operations and unusual user behavior
– Restrict administrative group membership to essential personnel
– Maintain offline backup copies encrypted and verified quarterly
– Assume any credential obtained from breach databases has been used; rotate passwords for all accounts
– Implement network segmentation to restrict lateral movement
– Deploy EDR with detection rules for HC-128 encryption operations (if signatures available)

Why Does Cloak Use Multiple File Extensions Rather Than a Single Extension?

Using sequential extensions (.crYptA, .crYptB, etc.) per campaign or infection wave allows Cloak to:
1) Evade simple file extension-based detection rules by changing extensions
2) Obfuscate the true scope of infection across multiple backup snapshots
3) Suggest to victims that encryption is ongoing (intimidation tactic)
4) Complicate forensic analysis by distributing files across extension-based recovery points

Why Target SMBs Instead of Enterprises?

SMBs often have weaker security posture than enterprises, making compromise easier for a moderate-capability group like Cloak. While individual ransom amounts are lower ($10K-500K vs. $1M+ for enterprises), volume of successful compromises compensates. Additionally, SMBs have less organizational capacity for incident response, making ransom payment more likely given business continuity pressures.