Ransomware Attack on St. James Place by Cloak Ransomware Group

St. James Place, a nonprofit retirement community located in Baton Rouge, Louisiana, has recently fallen victim to a ransomware attack orchestrated by the Cloak ransomware group. The attackers claim to have exfiltrated 100 GB of sensitive data from the organization, releasing sample screenshots on their dark web portal to substantiate their claims.

About St. James Place

Established in 1983, St. James Place is a Life Plan Community designed for active seniors aged 62 and older. The community spans 52 acres and offers a comprehensive lifestyle that emphasizes independence, wellness, and community engagement. It provides a continuum of care, including independent living, assisted living, and skilled nursing care, all underpinned by a Life Care Contract that guarantees access to healthcare services as needed.

The community is known for its vibrant lifestyle, featuring amenities such as a fitness center, salon, home theater, and multiple dining options. Residents can participate in various activities, including arts and crafts, fitness classes, and organized outings to cultural events in Baton Rouge. The St. James Place Foundation supports residents facing financial challenges, ensuring a high quality of life for all.

Attack Overview

The Cloak ransomware group has claimed responsibility for the attack on St. James Place, asserting that they have exfiltrated 100 GB of sensitive data. The breach highlights the growing threat of ransomware attacks in the healthcare and wellness sector. Cloak has released sample screenshots of the stolen data on their dark web portal, emphasizing the severity of the breach.

About Cloak Ransomware Group

Cloak ransomware is a relatively new group that emerged between late 2022 and early 2023. The group is financially motivated and primarily targets sectors such as medical, real estate, construction, IT, food industry, and manufacturing. Cloak operates a data leak site where they sell and publish stolen data from victims, using double extortion tactics by encrypting files and threatening to leak stolen data.

The group likely purchases initial access from Initial Access Brokers (IABs) on underground marketplaces and may leverage compromised employee credentials obtained through info-stealers like Lumma, Aurora, and Redline. Encrypted files are renamed with extensions like .crYptA, .crYptB, up to .crYptE. As of mid-2023, Cloak had accessed 23 databases of small-medium businesses, with a high ransom payment rate of 91-96%.

Vulnerabilities and Penetration

St. James Place, like many organizations in the healthcare sector, may have vulnerabilities that make it an attractive target for ransomware groups. These could include outdated software, insufficient cybersecurity measures, and a lack of employee training on phishing and other cyber threats. The exact method of penetration in this case is not yet clear, but it is likely that Cloak used compromised credentials or purchased initial access from IABs to infiltrate the company's systems.

• St. James Place
• St. James Place
• St. James Place Blog
• St. James Place News
• Global Data - St. James's Place plc