By Heimdall: The CloAk Ransomware, which emerged between the end of 2022 and the beginning of 2023, represents a relatively new group of ransomware that has stood out mainly for its activities in Europe, with a special focus on Germany. This malware encrypts victims' data and demands a ransom payment in exchange for the decryption key. In addition to encrypting files, CloAk attempts to delete volume shadow copies using the command vssadmin.exe delete shadows /all /quiet, renaming the affected files with extensions ranging from .crYptA to .crYptE.
Threat Analysis - Initial Vector
Analysis has shown that the CloAk Ransomware group uses access bought from initial access brokers (IABs) in clandestine markets as one of its main invasion tactics. These IABs seek to gain access to their victims' networks and sell it on to other threat actors. As of May 2023, compromised employee interfaces have been offered for sale, which suggests it is the group's initial step and main attack vector to gain access to victims' networks.
Other distribution methods observed for ransomware are: Social engineering such as phishing, Malvertising, Exploit kits, Remote Desktop Protocol (RDP), Drive-By Download and Pirated software.
CloAk Ransomware attack chain
Below are details of how the ransomware attack chain works.
Initial Access
The threat actor gains access to the network or machine using various methods, such as social engineering, malvertising, exploit kits, remote desktop protocol (RDP), stolen credentials, drive-by downloads or pirated software.
Recognition
As soon as the attacker gains access, it carries out reconnaissance to identify the target's network and devices.
Lateral movement
The attacker moves laterally through the network to gain access to all devices and systems.
Exfiltration
The attacker exfiltrates data from the network or machine, which is then used to threaten the victim and make them pay the ransom.
Deployment of ransomware
The attacker deploys the Cloak ransomware payload to encrypt the victim's data.
Ransom demands and data leaks
- The ransomware displays a message to the victim explaining that the files are inaccessible and can only be accessed again by paying a ransom to the attackers.
The Cloak ransomware group has a well-known extortion site where it sells and leaks data from its victims:
Extension of encrypted files
- .crYptA
- .crYptB
- .crYptC
- .crYptD
- .crYptE
Redemption note
The CloAk ransomware presents a ransom note called "readme_for_unlock.txt", requesting payment in return for the key that undoes the data encryption. This notification aims to pressure the affected party into paying the ransom. The ransom note contains text that seeks to intimidate the victim by highlighting the consequences of not making the payment, and offers instructions on how to go about negotiating the ransom.
See the content of CloAk's ransom note below:
Partnership with other ransomware groups
In addition, SentinelOne researchers observed an interconnection between Good Day ransomware, from the ARCrypter family, and CloAk, in which Good Day victims were listed on the CloAk extortion site. This link indicates a collaboration or at least a relationship between the threat groups, where victims of one malware can end up being targeted by another, intensifying the pressure to pay the ransom by threatening to leak or sell the hijacked data.
The threat landscape represented by CloAk and its possible collaboration with other malware, such as Good Day, highlights the importance of robust cybersecurity practices, including offline and regular backups, network segmentation and frequent software updates to mitigate the risk of infection.
MITRE ATT&CK - TTPs
| Tactics | Technique | Details |
| Initial Access | T1078 T1566 T1133 | The adversary can use valid credentials, phishing and external remote services for initial access |
| Execution | T1204 | Adversaries can rely on specific actions taken by users to execute malicious code |
| Persistence | T1547 | Adversaries can set system settings to automatically run a program during system startup or logon to maintain persistence or obtain higher-level privileges on compromised systems. |
| Defense Evasion | T1622 T1070.001 T1070.004 T1564.003 | Adversaries can employ various means to detect and avoid debuggers. Adversaries can clear Windows event logs and delete left-over files to hide the activity of an intrusion. Adversaries can use hidden windows to hide malicious activity from users' view. |
| Credential Access | T1003.001 | Adversaries can try to access credentials stored in memory (LSASS). |
| Discovery | T1057 T1082 T1083 | Adversaries can try to obtain information about processes running on a system and other information such as hardware, patches and so on. |
| Command and Control | T1021 | Adversaries can use valid accounts to log in to a service that accepts remote connections, such as telnet, SSH and VNC. |
| Impact | T1486 T1489 T1490 T1657 | Adversaries can delete data and steal valuable information, they can steal resources and carry out extortion for financial gain. |
How to protect yourself
There are some security measures that can be adopted to mitigate the infection of this malware, such as:
Keep your antivirus up to date
- The first line of defense is a robust and up-to-date antivirus program. These programs are designed to detect and block ransomware before it can cause damage.
Avoid suspicious pop-ups
- Do not click on pop-ups that ask you to install or update software while browsing the Internet. These could be an attempt to install malware on your device.
Beware of links and attachments in emails
- Phishing attacks, in which emails appear to come from legitimate sources but contain malicious links, are a common vector for the distribution of ransomware. Always check the authenticity of emails before clicking on links or opening attachments.
Use only reliable sources for downloads
- To avoid ransomware and other types of malware, only download from trusted sources such as the Microsoft Store, Apple App Store and Google Play Store.
Implement a zero-trust architecture
- Assume that your network may already be compromised and minimize uncertainty by imposing least privilege access decisions.
Perform regular vulnerability scans
- Identify and fix vulnerabilities, especially in Internet-facing devices, to limit attack surfaces. Regularly updating software and operating systems is also crucial.
Configure all devices appropriately
- This includes on-premises devices, cloud services, mobile and personal devices (BYOD). Disable ports and protocols that are not being used for business purposes.
Limit the use of Remote Desktop Protocol (RDP)
- If necessary, apply best practices such as closing unused RDP ports, applying multi-factor authentication (MFA) and logging login attempts.
Regular backups
- Make regular backups of your important data. In the event of an attack, you will be able to restore your files without paying the ransom. It is advisable to keep backups on devices or services that are not directly connected to your network.
Avoid exposing vulnerable services on the Internet
- Don't expose unnecessary services, such as Remote Desktop Protocol (RDP), on the Internet. If necessary, use appropriate compensatory controls to prevent abuse and exploitation.
Employee awareness and training
- Educate your employees about the risks of ransomware and the best practices to avoid them. Awareness can be a powerful tool against phishing attacks and other forms of social engineering.
Indicators of Commitment (IOCs)
ISH Tecnologia handles a number of Indicators of Compromise collected through open and closed sources, as well as analysis carried out by the Heimdall security team. In view of this, below we list all the Indicators of Compromise (IOCs) related to the analysis of the artifact(s) in this report:
| URL, IP and Domain Indicators | |
| URL | http[:]//cloak7jpvcb73rtx2ff7kaw2kholu7bdiivxpzbhlny4ybz75dpxckqd[.]onion/ |
Note: The links and IP addresses listed above may be active; be careful when manipulating these IoCs, to avoid clicking on them and becoming a victim of the malicious content hosted on the IoC.
References
- Heimdall by ISH Technology
- SentinelOne
- Salvagedata