A cybercriminal group known as Cloak has publicly asserted its role in a cyberattack against the Virginia Attorney General’s office that took place in February 2025. This incident has resulted in significant disruption, prompting officials to implement emergency protocols to manage the aftermath.
Chief Deputy Attorney General Steven Popps communicated via email that most of the office’s IT infrastructure—including critical systems like email, VPN access, internet functionality, and the attorney general’s official website—was incapacitated, as covered by major news outlets. Employees were compelled to revert to manual documentation processes, highlighting the severity of the disruption. In light of this attack, the attorney general’s office swiftly alerted the Virginia State Police, the Federal Bureau of Investigation (FBI), and the Virginia Information Technologies Agency, initiating a comprehensive investigation into the breach.
On March 20, Cloak took to a Tor-based data leak platform to release the Virginia Attorney General’s website details, accompanied by a declaration that the waiting period had concluded and compromised data was now available for download. This communication suggests a breakdown in negotiations between the ransomware group and the attorney general’s office, which has reportedly declined to meet the ransom conditions. Cloak has also circulated images purportedly depicting documents pilfered from the attorney general’s systems to substantiate its claims.
As of now, the Virginia Attorney General’s office has not officially verified Cloak’s assertions. Critical information regarding the nature of the compromised data, whether any ransom was paid, and exact amounts demanded remain undisclosed. Additionally, details on the methodologies employed by the attackers to infiltrate the attorney general’s network are yet to be clarified, leaving many questions unanswered concerning the incident.
Cloak, a ransomware group that emerged in 2022 and gained notoriety in 2023, primarily targets small to medium-sized enterprises in Europe and Asia, particularly focusing on Germany. Their operational methods involve deploying malware designed for both data exfiltration and system encryption, effectively coercing victims into paying ransoms. Notably, victims choosing to resist payment risk having their stolen data made publicly available on Cloak’s leak site, which explains the group’s high payment rate of 91-96%.
Since its emergence, Cloak has claimed responsibility for 13 confirmed ransomware attacks, including those targeting the Canadian town of Ponoka and the German municipality of Gemeinde Kaisersbach in 2024, along with 54 unconfirmed incidents where organizations did not acknowledge the breaches. The attack on the Virginia Attorney General’s office marks Cloak’s first confirmed operation of 2025.
The tactics employed in this attack may align with various categories on the MITRE ATT&CK Matrix. Initial access could have been achieved through techniques such as phishing or exploitation of vulnerabilities, while persistence might involve creating new user accounts or deploying backdoors. The breach could also entail privilege escalation, allowing attackers to advance their access within the network.
As the investigation unfolds, business leaders and cybersecurity professionals must remain vigilant of evolving threats, particularly from ransomware groups like Cloak, which continue to adapt and refine their strategies against organizations of all sizes across the globe. With the complex landscape of cybercrime, it is crucial for organizations to bolster their defenses and remain informed about the latest tactics employed by adversaries.
