Virginia’s Attorney General’s Office was hit by a cyberattack in February, forcing a shutdown of IT systems and a reversion to paper filings. The Cloak ransomware group now claims responsibility, bragging about stealing 134GB of sensitive data.
The Virginia Attorney General’s Office had to shut down its IT systems, including email and VPN after suffering from what Chief Deputy AG Steven Popps described as a “sophisticated attack.” The breach, detected in February, triggered notifications to the FBI, Virginia State Police, and the Virginia Information Technologies Agency.
On March 20, 2025, Cloak added the Virginia Attorney General’s Office to its list of victims on its Tor leak site. The group announced that, with the waiting period over, the entire 134GB archive of stolen data is now available for download, after initially posting only screenshots as proof.
Investigations are still underway to determine the full extent and source of this breach.
T-Mobile data breach: They owe you money—here’s how to claim it
Active since at least 2023, Cloak has reportedly compromised over one hundred organizations, often targeting small to medium-sized businesses, predominantly in Europe, especially Germany and has extended its operations to countries in Asia. The targeted sectors are healthcare, real estate, construction, IT, food, and manufacturing.
“Cloak primarily targets small to medium-sized businesses in Europe, with Germany as a key focus. The group has extended its operations to countries in Asia and targets various sectors, including healthcare, real estate, construction, IT, food, and manufacturing. Cloak’s attack strategy involves acquiring network access through Initial Access Brokers (IABs) or social engineering methods such as phishing, malvertising, exploit kits, and drive-by downloads disguised as legitimate updates like Microsoft Windows installers,” states Halcyon.
The group infiltrates networks by either buying access from Initial Access Brokers (IABs) or employing social engineering tactics, such as phishing campaigns and malicious advertisements. These methods often involve exploit kits and drive-by downloads disguised as legitimate software updates, including fake Microsoft Windows installers.
Once inside a network, Cloak uses an ARCrypter ransomware variant, derived from the leaked code of Babuk, to encrypt files.
