Global Attack by Warlock Ransomware as Victims Worldwide are Targeted Via SharePoint ToolShell Exploit
In recent months, a new ransomware group known as Warlock has rapidly established itself in the cybercriminal landscape. This group, linked to a China-based threat actor known as Storm-2603, has been actively targeting organizations globally, with its activities impacting industries ranging from technology to critical infrastructure.
The Warlock ransomware operators have been extensively targeting the Microsoft SharePoint ToolShell vulnerability. Attackers have used this vulnerability to compromise unpatched organizations, gaining code execution capabilities and escalating privileges.
Once inside a system, the attackers enable remote desktop protocol (RDP) access by setting the value at to 0. They also conduct extensive reconnaissance within the victim environment to plan lateral movement.
One of the tactics the attackers use is activating the "guest" account on a Windows machine and modifying its password, enabling it for access. The "guest" account is then added to the local "administrators" group, granting it administrative privileges.
The ransomware encrypts files and places a ransom note titled "How to decrypt my data.txt" within affected directories. The data exfiltration process is conducted using RClone, a legitimate open-source file synchronization tool.
Remote services such as Server Message Block (SMB) are used to copy payloads and tools across machines. A stealthy command and control (C2) channel is set up inside the compromised environment, using a Cloudflare binary renamed to evade detection.
Microsoft has warned SharePoint customers that attackers are actively targeting the ToolShell exploit chain. The company reported on July 23 that a Chinese-based actor, Storm-2603, was distributing Warlock ransomware on exploited SharePoint on-prem servers.
Researchers urge organizations to promptly patch their on-premises SharePoint servers and deploy layered detection capabilities to defend against the Warlock ransomware threat. They also advise organizations to regularly back up their data and test their recovery capabilities to minimize the impact of a potential attack.
Warlock made its public debut on the Russian-language RAMP forum in early June 2025. It appears to be a customized derivative of the leaked LockBit 3.0 builder. The group's activities have been extensive, with the ransomware deployment enabled by copying the ransomware binary into public folders on multiple endpoints via the Ingress transfer tool.
Warlock claimed credit for an August 2025 attack on UK telecoms firm Colt Technology Services. The group's victim list includes organizations in North America, Europe, Asia, and Africa.
As the Warlock ransomware continues to evolve and target organizations worldwide, it is crucial for businesses and individuals to stay vigilant and take necessary precautions to protect their data and systems.
