Cloak Ransomware Gang Attacks Spanish Vehicle Rental Company

By Miklos Zoltan . 15 June 2024

Founder - Privacy Affairs

Fact-Checked this

The anonymous Cloak ransomware gang announced a massive breach against Mundocar, a Spanish vehicle rental company. Mundocar did not confirm or comment on the event, but it does appear to be legit, at least at first glance.

The hackers have tagged the job as ‘Expired’ on their leak site, which may suggest that the negotiations have failed
According to Cloak’s post, the hackers managed to get away with 100 GB of internal data
Cloak is a newcomer in the ransomware sphere after coming out publicly at the beginning of 2023
The organization relies on the double-extortion practice to force the victims to comply with their demands

Ransomware attacks have been visibly more devastating in 2023, compared to the previous year, a trend which seems to continue in 2024. Ransomware gangs have also increased their activity with Lockbit leading the herd.

Experts place ransomware breaches higher on the list in terms of potential damages, compared to other types of cyberattacks. There are several reasons for that.

X showing the Cloak attack on Mundocar — https://x.com/FalconFeedsio/status/1801569726251852146

The first one is also the most obvious one: the data loss itself. It’s never a good sign when known hackers have possession of your sensitive data. Then there’s the problem of paying the ransom which, in almost all cases, it’s hefty to begin with.

The hackers will always approximate the value of the ransom based on the victim’s revenue profile. The higher the victim’s revenue, the higher the ransom.

Then we have the legal issues stemming from the breach itself. Because the target company is responsible for all of its employee’s and customers’ data, any leak makes it directly liable. This is one reason why many enterprises refuse to report ransomware breaches.

Finally, there’s the problem of the hackers sharing or selling the stolen data to other cybercriminal entities. In turn, these will then extort the victim again or use the data for their own gain.

How Cloak Operates

Despite being relatively new in the ransomware sphere, Cloak isn’t really innovative in the field. Instead, it sticks to the classic double-extortion practice. This allows the hackers to increase their leverage during negotiations.

The victim needs to pay for both the decryptor to recover access to the system and the deletion of the stolen data. The problem is that the latter rarely works. The hackers prefer to keep the data to themselves and either use it later or share it with other hackers.

Sometimes, it’s both.

Cloak is currently anonymous, as there is no clear information regarding its profile, code, members, or internal structure. However, given how the ransomware sphere operates, it’s more likely than not that Cloak is related to at least one other cybercriminal gang.

Ransomware organizations often collaborate with each other for higher and easier gains. They also often share manpower and resources, especially when pressed by law enforcement agencies. In the case of the latter, many gangs also dissolve and restructure.

So far, Cloak hasn’t been as active or as successful as high-tier ransomware operators, but the situation can always change.

Our Mission

We believe security online security matters and its our mission to make it a safer place.

Founder & CEO Privacy Affairs

Miklos Zoltan is the founder and CEO of Privacy Affairs. Miklos has long-time experience in cybersecurity and data privacy having worked with international teams for more than 10 years in projects involving penetration testing, network security and cryptography.

Miklos founded Privacy Affairs in 2018 to provide cybersecurity and data privacy education to regular audiences by translating tech-heavy and "geeky" topics into easy-to-understand guides and tutorials.

Cookie	Duration	Description
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	1 year	The GDPR Cookie Consent plugin sets the cookie to store whether or not the user has consented to use cookies. It does not store any personal data.
wpEmojiSettingsSupports	session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.

Cookie	Duration	Description
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
_omappvp	1 year 1 month 4 days	The _omappvp cookie is set to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.

Cloak Ransomware Gang Attacks Spanish Vehicle Rental Company

How Cloak Operates

Our Mission

Miklos Zoltan

Leave a Comment Cancel