cloak

Para detección/bloqueo en tu EDR/SIEM. Fuente: ransomware.live.

Firma de detección defensiva para este grupo (úsala en tu EDR/SIEM). Fuente: ransomware.live.

/*
Cloak ransomware (ARCrypter-based)
*/

rule Cloak_Ransomnote
{
    meta:
        author = "ransomware.live"
        family = "ransomware.cloak"
        description = "Detects Cloak ransomware ransom note"
        date = "2026-05-04"
        severity = 7
        score = 70

    strings:
        $s1 = "Cloak" ascii nocase
        $s2 = "CLOAK" ascii
        $s3 = "cloak.onion" ascii nocase
        $s4 = "cloakteam" ascii nocase

    condition:
        any of them
}

Conversaciones de rescate divulgadas, con fines de estudio defensivo. Contactos, enlaces y wallets redactados.

• #2023080254 mensajesno pagado
• #20230802-266 mensajesno pagado

!!! ATTENTION !!!
Your network is hacked and files are encrypted.
	Including the encrypted data we also downloaded other confidential information:
	Data of your employees, customers, partners, as well as accounting and
	other internal documentation of your company.
All data is stored until you will pay.
	After payment we will provide you the programs for decryption and we will delete your data.
	If you refuse to negotiate with us (for any reason) all your data will be put up for sale.
What you will face if your data gets on the black market:
	1) The personal information of your employees and customers may be used to obtain a loan or
		purchases in online stores.
	2) You may be sued by clients of your company for leaking information that was confidential.
	3) After other hackers obtain personal data about your employees, social engineering will be
		applied to your company and subsequent attacks will only intensify.
	4) Bank details and passports can be used to create bank accounts and online wallets through
		which criminal money will be laundered.
	5) You will forever lose the reputation.
	6) You will be subject to huge fines from the government.
		You can learn more about liability for data loss here:
			[redactado]
			[redactado]
	Courts, fines and the inability to use important files will lead you to huge losses.
	The consequences of this will be irreversible for you.
	Contacting the police will not save you from these consequences,
		but will only make your situation worse.
You can get out of this situation with minimal losses
	To do this you must strictly observe the following rules:
		DO NOT Modify, DO NOT rename, DO NOT copy, DO NOT move any files.
			Such actions may DAMAGE them and decryption will be impossible.
		DO NOT use any third party or public decryption software, it may also DAMAGE files.
		DO NOT Shutdown or Reboot the system this may DAMAGE files.
		DO NOT hire any third party negotiators (recovery/police, etc.)
		You need to contact us as soon as possible and start negotiations.
Instructions for contacting our team:
	Download & Install TOR browser: [redactado]
	For contact us via LIVE CHAT open our
	> Website:  [redactado]
	> Login:    [snip]
	> Password: [snip]
	If Tor is restricted in your area, use VPN
	If you have any problems with LIVE CHAT you can send a message here:
	> Email: [redactado]

• https://www.ransomware.live/group/cloak

• Not Found
  4
• Public Sector
  1
• Energy
  1
• Hospitality and Tourism
  1