Cloak Ransomware Variant Exhibits Advanced Persistence, Evasion and VHD Extraction Capabilities

The report analyzes the Cloak ransomware group and a specific Cloak/ARCrypter-derived ransomware variant, detailing its distribution (IABs, phishing, malvertising, drive-by/false Windows updates), loader behavior (LZMS/XTEA-packed resources, virtual disk mounting), privilege escalation, extensive process and service termination targeting AV, backup, and database components, persistence via Run registry entries, and aggressive recovery disruption (shadow copy deletion, recycle bin emptying). It describes encryption mechanics (Curve25519 key generation, SHA-512-derived HC-128 keys, full and intermittent chunked encryption), ransom note deployment (wallpaper and readme files), and a high extortion/payment effectiveness, concluding the variant is highly sophisticated and disruptive.