Cloak Ransomware Group Hacks Virginia Attorney General's Office
The Cloak ransomware group has claimed responsibility for a devastating cyberattack on the Virginia Attorney General's Office in February, leaving officials to shut down critical IT systems and revert to paper filings. The breach was detected early on, prompting notifications to law enforcement agencies, including the FBI, Virginia State Police, and the Virginia Information Technologies Agency.
Chief Deputy AG Steven Popps described the attack as "sophisticated" and acknowledged that it had forced the office to take drastic measures to protect sensitive information. The breach has been shrouded in secrecy, with the Attorney General's Office refusing to share any details about the attack.
The Cloak ransomware group, which has been active since at least 2023, added the Virginia Attorney General's Office to its list of victims on its Tor leak site on March 20, 2025. The group claimed that the waiting period had expired and announced that it had stolen 134GB of sensitive data. Initially, the group published screenshots of stolen data as proof of the attack, but now the entire archive is available for download from the leak page.
According to a report by Halcyon, the Cloak ransomware group has been targeting small to medium-sized businesses in Europe, with Germany being a key focus. The group's attack strategy involves acquiring network access through Initial Access Brokers (IABs) or social engineering methods such as phishing, malvertising, exploit kits, and drive-by downloads disguised as legitimate updates like Microsoft Windows installers.
The Cloak group uses an ARCrypter ransomware variant, derived from Babuk's leaked code, to encrypt files after infiltrating a network. This variant has been used in previous attacks against organizations across Europe and Asia, targeting various sectors including healthcare, real estate, construction, IT, food, and manufacturing.
The attack on the Virginia Attorney General's Office is just the latest incident attributed to the Cloak ransomware group, which has breached over 100 organizations since its inception. As investigations into the breach continue, it remains to be seen how the group will use the stolen data and what measures will be taken to prevent similar attacks in the future.
Stay informed about cybersecurity threats like this one by following me on Twitter: @securityaffairs and Facebook and Mastodon.
Cloak Ransomware Group Background
The Cloak ransomware group has been expanding its operations since at least 2023, targeting organizations across Europe and Asia. According to Halcyon's report, the group primarily targets small to medium-sized businesses in Europe, with Germany being a key focus.
The group's attack strategy involves acquiring network access through Initial Access Brokers (IABs) or social engineering methods such as phishing, malvertising, exploit kits, and drive-by downloads disguised as legitimate updates like Microsoft Windows installers. Once inside the network, the group uses an ARCrypter ransomware variant to encrypt files.
The ARCrypter variant is derived from Babuk's leaked code and has been used in previous attacks against organizations across Europe and Asia. The group targets various sectors including healthcare, real estate, construction, IT, food, and manufacturing.