Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Cloak ransomware recovery team on standby
Cloak ransomware has been quietly targeting small-to-medium European businesses since August 2023, operating as a variant of the ARCrypter family and purchasing network access from initial access brokers. Isolate affected systems immediately and contact UnderDefense's incident response team — do not attempt recovery or negotiation without expert support.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a Cloak attack can make a huge difference and help you make a full recovery. Request 24/7 Cloak ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
Cloak uses Curve25519 elliptic curve cryptography for key exchange paired with HC-128 stream cipher for file encryption. The gang generates per-victim 32-byte private keys and derives public keys, making each infection cryptographically isolated and keys non-recoverable without access to attacker infrastructure.
Cloak is believed to be a variant of ARCrypter ransomware, sharing the same leak site infrastructure with "Good Day" ransomware. The group operates with loose affiliate partnerships, accepting IAB access or conducting direct intrusions. TTPs suggest moderate technical sophistication and patience in dwell time pre-encryption.
Cloak's shared data leak platform with ARCrypter/Good Day variants indicates possible operational overlap or business collaboration. Victim data is threatened with public exposure on multiple forums simultaneously, suggesting data monetization through multiple criminal networks.
Cloak primarily targets SMBs in Germany, Italy, Taiwan, and France, with preference for organizations with weak security posture and low ransom payment likelihood but sufficient data value for extortion. European focus suggests language expertise and familiarity with regional payment systems.
Ransom notes named "readme_for_unlock.txt" or "CLOAK_README.txt" direct victims to a single chat panel for negotiation, consolidating communication and enabling the gang to pressure victims through repeated contact.
No public decryptor is available for Cloak ransomware. Curve25519 cryptography is resistant to brute-force attacks. Recovery depends on offline backups or forensic recovery of the private key from attacker systems—neither typically feasible for SMB victims.
Search for .crYptA, .crYptB file extensions across file systems, ransom note filenames containing “CLOAK” or “readme_for_unlock”, and process execution of legitimate encryption tools being abused for encryption (PowerShell, openssl commands).
File Extensions
.crYptA, .crYptB, .crYptC, .crYptD, .crYptE (sequential extension per infection wave)
Ransom Note Filenames
readme_for_unlock.txt, CLOAK_README.txt, readme.txt (variant-dependent)
Cloak Hashes
SHA256 hashes vary significantly across samples. Known executables associated with ARCrypter family are documented in threat intelligence databases. Signature-based detection is unreliable; behavioral detection of Curve25519 operations is required.
Cloak Tools
Reconnaissance: OSINT on target organization, web application scanning (likely via Shodan or public databases)
Persistence: Likely via compromised credentials from IAB access rather than custom persistence mechanisms
Lateral Movement: SMB shares, RDP (if credentials obtained), privileged access tools
Credential Dumping: Mimikatz or credential access from compromised IAB connection
Encryption: Custom HC-128 implementation compiled per campaign
Most Common Red Flag
Sudden appearance of .crYptA files across SMB shares, combined with readme_for_unlock.txt or CLOAK_README.txt appearing in user directories. Often preceded by suspicious remote access activity (RDP or SSH) from IAB operators weeks prior to encryption.
Attack vector | % of Cloak incidents | Notes |
IAB-Provided Credentials | 60% | Initial Access Brokers selling compromised credentials from breaches |
Phishing (Targeted) | 25% | Spear-phishing specific employees with malicious attachments |
Unpatched Web Applications | 10% | SQL injection, default credentials in exposed admin panels |
Weak RDP Credentials | 5% | Brute-force or credential spray against internet-facing RDP |
A German manufacturing firm paid 50,000 EUR; data was later found on three separate dark web forums despite gang claims of deletion. One Italian municipality negotiated payment to zero after threatening to report to authorities. Estimated 30+ confirmed victims across 2023-2024 with limited victim cooperation on disclosure.
Isolate infected systems from network immediately. Scan for .crYptA/.crYptB extensions and delete ransom note files. Reset all domain and local credentials system-wide, assuming compromise. Restore from offline backups verified clean prior to encryption event. Do not attempt to negotiate with the gang or use recovered encryption tools—the gang does not honor deletion promises.
Complete restoration from offline backups is the only reliable recovery method. Assume all credentials compromised; implement new administrative accounts with strong passphrases and MFA. Segment network to prevent lateral movement in case re-infection occurs. Monitor logs for IAB activity patterns for 6 months post-recovery (unusual RDP logins, credential access, SMB enumeration).
Cloak demands typically range from 10,000 to 500,000 EUR depending on victim organization size and perceived ability to pay. SMBs often receive lower demands. Negotiation is possible; reported settlement rates are 30-50% of initial ransom demand, suggesting the gang inflates initial demands.
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help NowCloak is a double-extortion ransomware variant believed to be linked to the ARCrypter ransomware family, targeting SMBs primarily in Europe. The ransomware uses Curve25519 elliptic curve cryptography and HC-128 stream cipher for encryption, making files cryptographically unrecoverable without the private key. The group operates a public leak site and shares data exfiltration infrastructure with other ransomware variants, suggesting loose collaboration within criminal networks.
Geographic targeting of European SMBs and language expertise suggest the gang operates from Europe itself, possibly Eastern Europe or the EU. No definitive attribution has been published, but operational patterns indicate familiarity with European business practices and banking systems. The gang has not claimed nation-state affiliation or public attribution.
Cloak typically gains initial access through Initial Access Brokers selling compromised credentials from prior breaches or password reuse attacks. Attackers establish persistence via compromised RDP or SMB credentials, conduct internal reconnaissance to identify high-value data, exfiltrate files, and then deploy the ransomware encryptor. The HC-128 encryption is fast and does not trigger excessive CPU usage, allowing silent operation during business hours.
From initial compromise to ransom note delivery, Cloak attacks average 2-4 weeks of dwell time for reconnaissance and data exfiltration. Some incidents show acceleration if the gang detects active monitoring. Encryption deployment is rapid once data is secured, typically occurring within 24-48 hours of data transfer completion.
No public decryptor exists for Cloak ransomware. Curve25519 elliptic curve cryptography is mathematically secure against known attacks. Recovery requires either offline backups or payment of ransom, though the gang’s track record of actually deleting data after payment is poor—victims report their data appearing on multiple dark web forums weeks or months after ransom payment.
All encrypted files become inaccessible, and the gang threatens public exposure of exfiltrated data on their leak site and partner forums if ransom is not paid within 7-14 days. For SMBs, operational disruption is severe—customer data loss, business email compromise, and regulatory violations (GDPR in Europe) create cascading liability. The gang often extends deadlines for negotiation.
Assume IAB credentials are compromised and implement credential rotation quarterly for administrative accounts. Disable RDP on internet-facing systems; use jump hosts with strict access logging instead. Enable MFA on all remote access and administrative accounts. Monitor SMB share access for unusual patterns (bulk file reads, writes to system shares). Maintain offline, encrypted backups with integrity verification. Conduct regular security awareness training to reduce phishing click rates.
– Disable or restrict internet-facing RDP; use VPN with MFA instead
– Implement conditional access policies to block risky sign-ins
– Enable MFA on all administrative and email accounts
– Monitor SMB file access logs for bulk operations and unusual user behavior
– Restrict administrative group membership to essential personnel
– Maintain offline backup copies encrypted and verified quarterly
– Assume any credential obtained from breach databases has been used; rotate passwords for all accounts
– Implement network segmentation to restrict lateral movement
– Deploy EDR with detection rules for HC-128 encryption operations (if signatures available)
Using sequential extensions (.crYptA, .crYptB, etc.) per campaign or infection wave allows Cloak to:
1) Evade simple file extension-based detection rules by changing extensions
2) Obfuscate the true scope of infection across multiple backup snapshots
3) Suggest to victims that encryption is ongoing (intimidation tactic)
4) Complicate forensic analysis by distributing files across extension-based recovery points
SMBs often have weaker security posture than enterprises, making compromise easier for a moderate-capability group like Cloak. While individual ransom amounts are lower ($10K-500K vs. $1M+ for enterprises), volume of successful compromises compensates. Additionally, SMBs have less organizational capacity for incident response, making ransom payment more likely given business continuity pressures.