The Virginia Attorney General’s Office has fallen victim to a cyberattack reportedly orchestrated by the ransomware group Cloak. The attack disrupted critical systems, forcing the state’s top legal agency to resort to manual operations.
The incident first surfaced in mid-February when employees received an internal email alerting them to widespread IT outages. Essential computer systems, applications, internal services, and the agency’s website were rendered inaccessible. Internet connectivity and VPN services were also down, pushing staff to revert to paper-based court filings—a major setback for the office.
Although the Attorney General’s Office (AGO) chose not to disclose specifics publicly, the Cloak ransomware group later exposed the attack by listing the Virginia AGO on its dark web leak site on March 20. The group claims to have published stolen data, hinting that ransom negotiations likely failed.
Security experts warn that the release of sensitive data could pose serious risks, though the AGO has yet to confirm the breach’s impact. SecurityWeek has reached out to the AGO for comment, but no response has been issued at the time of reporting.
Cloak is a relatively new but growing threat in the ransomware landscape. First spotted in late 2022, the group is linked to the notorious Good Day ransomware operation. According to cybersecurity firm Comparitech, Cloak has targeted more than 65 organizations so far, though only 13 attacks have been verified. Notably, the Virginia AGO incident marks the group’s first confirmed attack of 2024.
Cybersecurity researchers at Halcyon report that Cloak deploys an ARCrypter ransomware variant built from the leaked Babuk source code. This tool enables them to encrypt victims’ data swiftly, increasing pressure during extortion attempts.
Cloak is known for its dual approach to gaining access—leveraging social engineering tactics alongside partnerships with initial access brokers. While their operations have mainly targeted small and mid-sized businesses across Europe and Asia, this latest U.S. government attack signals a potentially worrying expansion of their scope.
The Virginia AGO cyberattack serves as a fresh reminder of the rising threats from ransomware groups, especially those combining data theft and extortion. Agencies and businesses alike are urged to bolster defenses and review incident response plans to mitigate future risks.
