24/7 ransomware incident response by senior experts. Get in touch now β we support you right away.
Cloak is an active ransomware operation using double extortion: encryption of systems combined with publication of stolen data on a Tor-based leak site. Public leak data shows more than 150 victims since 2023, with recent activity across Europe and North America. Our DFIR team supports you with structured containment, forensics and secure recovery.
Ransomware is our everyday business. We combine technical forensics, crisis management and practical recovery planning so you can make informed decisions under pressure β whether it is Cloak or another modern double-extortion group.
Our team has worked on complex cases involving Cloak and comparable operations across business services, manufacturing, healthcare and public sector organisations.
We understand typical attacker playbooks, tooling and negotiation tactics.From initial triage and containment to forensics, decryption strategy and rebuild: we support the entire lifecycle of your ransomware incident.
We work with your existing security stack and IT teams. No lock-in, no hidden agenda β just practical support to get your business back online securely.
We collaborate with internal IT, insurers, legal and law enforcement where needed.The first days of a Cloak ransomware incident are critical. Our structured playbook helps you stabilise operations while preserving evidence and preparing for recovery.
Hour 0β4
Rapid triage & containment
We assess scope and impact, guide you through safe isolation of affected systems and stop further lateral movement β without destroying evidence.
Hour 4β24
Forensic acquisition & attacker analysis
Collection of system images, logs and volatile data. We identify Cloakβs footprint in your environment and review possible data exfiltration paths.
Day 2β3
Recovery plan & decision support
We design a phased recovery plan, including options with and without decryption, and provide input for executive, legal and communication teams.
Many victims are already in contact with Cloak operators when they call us. We help you:
Beyond emergency response, we also help you make your environment more resilient against future ransomware attacks β from hardening backups and Active Directory to monitoring and incident readiness.
Note: We do not encourage paying ransoms. Where payment is considered, we help you understand the technical implications and residual risks so you can make a documented, risk-based decision.
Below is a brief profile of Cloak ransomware based on public leak site data and open source intelligence. Use this as a starting point for your own risk assessment β not as a substitute for case-specific analysis.
Note: These statistics are based on publicly claimed victims and do not include incidents that remain undisclosed or handled privately.
Cloak uses a dedicated Tor hidden service to list victims and publish stolen data if negotiations fail. The group has been observed using ransom notes with names such as:
readme_for_unlock.txtreadme_for_unlock_nov2024.txtreadme_for_unlock_oct2024.txt# Example Cloak ransomware indicators of compromise (IOCs)
# Leak site (Tor hidden service)
cloak7jpvcb73rtx2ff7kaw2kholu7bdiivxpzbhlny4ybz75dpxckqd.onion
# Example file hash (ransomware-related sample)
MD5:
31c6032e6cfa6c514c0b0b30fe75c66e
# Ransom note filenames (examples)
readme_for_unlock.txt
readme_for_unlock_nov2024.txt
readme_for_unlock_oct2024.txt
# NOTE:
# IOCs change frequently. Use fresh threat intelligence feeds
# and do not rely on static indicators alone for detection.
Always validate IOCs against up-to-date sources and adapt them to your own logging and detection stack.
Cloak follows patterns similar to other human-operated ransomware campaigns. Even though detailed TTP matrices are not always published, you can use the typical ransomware lifecycle as a basis for detection and hunting.
The following ATT&CK techniques are commonly seen in human-operated ransomware intrusions and provide a useful starting point for detection engineering:
T1078 β Valid Accounts, T1133 β External Remote ServicesT1059 β Command and Scripting InterpreterT1547 β Boot or Logon Autostart ExecutionT1068 β Exploitation for Privilege EscalationT1562 β Impair DefensesT1003 β OS Credential DumpingT1021 β Remote ServicesT1041 β Exfiltration Over C2 ChannelT1486 β Data Encrypted for Impact, T1490 β Inhibit System RecoveryMap these techniques to your logging and security controls (EDR, SIEM, NDR, backup systems) and create specific detection rules for your environment.
A Cloak incident raises many legal, technical and business questions. Here are a few we hear most often in the first call.
Not necessarily. In some cases, recovery from clean backups is feasible without paying. In others, the business impact, data exfiltration and legal requirements must be weighed carefully. We help you analyse options, their technical feasibility and residual risks.
Yes. We regularly engage alongside cyber insurance carriers and law firms. Our role is to provide a reliable technical picture, support risk-based decisions and document the incident for regulatory or contractual obligations.
For active incidents, we aim to schedule an initial remote triage call very quickly once you contact our hotline or send an email. On-site presence can be arranged depending on location and urgency.
Absolutely. All conversations and artefacts are treated as confidential. We can sign NDAs and work under legal privilege via your counsel if required.
As a specialised DFIR team, we help organisations handle Cloak and other ransomware incidents in a structured, risk-based way:
On request, we can also support proactive assessments of your ransomware exposure, including backup resilience, Active Directory hardening and incident response readiness.