Cloak Ransomware Group Hacks Virginia Attorney General’s Office: February Breach Confirmed
The Cloak ransomware group has claimed responsibility for a February cyberattack on the Virginia Attorney General’s Office, leading to significant IT disruptions and potential data theft.
TL;DR
The Cloak ransomware group has claimed responsibility for a cyberattack on the Virginia Attorney General’s Office in February 2025. The attack forced the office to shut down IT systems and revert to paper filings. The group allegedly stole 134GB of sensitive data, which is now available on their Tor leak site.
Cloak Ransomware Group Claims Responsibility for Virginia Attorney General’s Office Cyberattack
In February 2025, the Virginia Attorney General’s Office experienced a significant cyberattack, which the Cloak ransomware group has now claimed responsibility for. The incident led to the shutdown of essential IT systems, including email and VPN services, forcing the office to revert to manual paper filings. Chief Deputy AG Steven Popps described the attack as “sophisticated.” The breach was detected in February, prompting notifications to the FBI, Virginia State Police, and the Virginia Information Technologies Agency. Investigations are ongoing to assess the full impact and identify the source of the attack 1.
Details of the Cyberattack
The Virginia Attorney General’s Office has not disclosed specific details about the attack. However, on March 20, 2025, the Cloak group added the office to its list of victims on its Tor leak site, claiming to have stolen 134GB of sensitive data. Initially, the group published screenshots of the stolen data as proof of the attack. Now, the entire archive is available for download from their leak page 2.
Cloak Ransomware Group: Profile and Tactics
The Cloak ransomware group has been active since at least 2023 and has breached more than one hundred organizations worldwide. The group primarily targets small to medium-sized businesses in Europe, with a key focus on Germany. They have expanded their operations to Asia and target various sectors, including healthcare, real estate, construction, IT, food, and manufacturing.
Cloak’s attack strategy involves acquiring network access through Initial Access Brokers (IABs) or social engineering methods such as phishing, malvertising, exploit kits, and drive-by downloads disguised as legitimate updates like Microsoft Windows installers. The group uses an ARCrypter ransomware variant, derived from Babuk’s leaked code, to encrypt files after infiltrating a network 3.
Conclusion
The cyberattack on the Virginia Attorney General’s Office highlights the ongoing threat posed by ransomware groups like Cloak. As investigations continue, it is crucial for organizations to strengthen their cybersecurity measures and remain vigilant against such threats.
Additional Resources
For further insights, check: