New Windows Drive-By Security Attack—What You Need To Know

Although little is known, in truth, about a cybercriminal actor employing what has become known as the Cloak ransomware threat, the group has risen rapidly to gain status as a significant player in the ransomware landscape since first emerging in 2022. Threat researchers at Halcyon have now analyzed the Cloak ransomware threat and uncovered a new and worrying variant that not only displays “sophisticated extraction and privilege escalation mechanisms” but also terminates processes related to both security and data backup tools. This new Cloak variant, Halcyon warned, can spread by way of dangerous drive-by downloads disguised as legitimate updates like Microsoft Windows installers. Here’s what you need to know.

The newly published Halcyon analysis of this latest Cloak ransomware variant details a number of attack strategies used by the threat actors operating the criminal exploit. Network access acquired through initial access brokers and social engineering unsurprisingly top the list. Phishingmalicious advertising and exploit kits are all employed to get the Cloak malware installed onto a target system, but Halcyon has also warned that the attackers are using what is known as a. drive-by download tactic, disguising the threat as a legitimate system update such as a Windows installer, for example.

It is believed that Cloak is connected to the Good Day ransomware group, using a version of some ransomware that was derived from previously leaked source code to the Babuk ransomware threat. Not that this really matters to victims or potential victims, but what matters is that once delivered by way of a loader that has the ransomware payload embedded within, Cloak uses sophisticated extraction and privilege escalation mechanisms, according to this latest report. “It terminates processes and services related to security, backups, and databases,” the security analysts warned, “while modifying system settings to hinder recovery and user actions.” Encryption keys are securely generated with Curve25519 and SHA512, encrypting files on both local drives and network shares using an HC-128 algorithm. The Cloak ransomware variant “employs advanced evasion techniques, including executing from virtual hard disks to avoid detection,” the report said.

Read the Full Story Here

Source: Forbes