cloak

Ransomware group profile

22Victims

RussiaSource country

99Impact score

Description

Cloak is a sophisticated ransomware group that emerged in early 2022, notorious for its stealth and advanced evasion methods. Primarily targeting small to medium-sized businesses, they leverage custom malware and zero-day vulnerabilities to conduct their operations, often employing a multi-faceted extortion strategy. Their tactics include double and triple extortion methods, where they threaten data leaks and DDoS attacks on victims who refuse to pay.

Key insights

•Utilizes zero-day vulnerabilities and custom malware for infiltration and data encryption.
•Employs spear-phishing for initial access, often using malicious attachments.
•Known for multi-layered extortion tactics, combining data encryption, theft, and threats of public release.
•Targets various sectors, notably healthcare and finance, with high payment rates from victims.
•Increasingly leveraging initial access brokers to penetrate networks of high-value targets.
•Shifts towards 'triple extortion' by including DDoS attacks against non-compliant victims.

Industries

Education Financial Services Government & Defense Healthcare Hospitality Manufacturing Other Professional Services Retail & E-Commerce Technology Transportation

Threat Level & Status Breakdown

For cloak · Based on incidents in selected period

3threat level

Aggressiveness8/ 10

Lethality0/ 10

Criticality0.8/ 10

First seenJun 2025

Last seenJun 2026

Avg ransom—

Payment rate—

Statusactive

Sophistication0

Last updatedJun 16, 2026

Recent activity

Monthly attack count for cloak in the selected period

22Total attacks

5peak in Aug

2.4avg / month

↑ 2 vs first month

Intelligence

IOCs, YARA/Sigma rules, and related families for cloak

a53a9ca8a074c7108f8412c3f8c1fc5d
77962a384d251f0aa8e3008a88f206d6cb1f7401c759c4614e3bfe865e3e985c
3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab
7007cf53bcd0083baba202d8ac2d9070
a98dcdee82f6066a4cf2f9d7d161a1bacec8f81d
94f73b5dc06ba6705fcef3e759413a747049c2949a0c2e44afc03b2f9989cf73
d1038be644a0da3ba05922fa27db4167a6e17451
1e074d9dca6ef0edd24afb2d13ca4429def5fc5486cd4170c989ef60efd0bbb0
c3804d1329b55a37bfa2f835e1e9bbc7bdb2b260f8e3627c06e02c9f52685d44

View full IOC feed500 total

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for cloak

Other

T1486

T1490

T1078

T1059

T1547

T1021

T1562

T1021.001

T1090

T1003

T1105

T1041

Victims(22)

Company	Domain	Country	Industry	Status	Discovered
ra-*******e	—	Non Disponibile	—	Unknown	1 day ago
d**********e	—	Non Disponibile	—	Unknown	1 day ago
W****S*****D	—	Non Disponibile	—	Unknown	1 day ago
suffolkva.us	suffolkva.us	US United States	Government & Defense	Unknown	4 months ago
**el-p***.de	—	DE Germany	—	Unknown	4 months ago
Dinnebiergruppe.de	dinnebiergruppe.de	DE Germany	Retail & E-Commerce	Unknown	4 months ago
***nei***pe.de	—	DE Germany	—	Unknown	4 months ago
Fitzpatrickhotels.com	fitzpatrickhotels.com	US United States	Hospitality	Unknown	6 months ago
**patrh**s.com	—	NA Namibia	Technology	Unknown	6 months ago
***l***.us	—	US United States	—	Unknown	6 months ago
**e-det.de	—	DE Germany	—	Unknown	7 months ago
*****.com	—	NA Namibia	Retail & E-Commerce	Unknown	8 months ago
L********den.com	—	NA Namibia	—	Unknown	8 months ago
TuftsMedicine	tuftsmedicine.org	US United States	Healthcare	Unknown	9 months ago
Wstg-steuerberater.de	wstg-steuerberater.de	DE Germany	Professional Services	Unknown	10 months ago
Tu*******ne	—	—	—	Unknown	10 months ago
Go********l	—	NA Namibia	—	Unknown	10 months ago
*********.bh	—	BH Bahrain	—	Unknown	10 months ago
*******roup.ro	—	RO Romania	—	Unknown	10 months ago
Nos********om.br	—	BR Brazil	—	Unknown	12 months ago

Page 1 of 2

Affected countries(28)

Countries where this group has been reported to target or leak victims.