Palo Alto Networks investigating ransomware threat related to SharePoint exploitation

Researchers from Palo Alto Networks say they are investigating a ransomware attack related to the recently disclosed ToolShell vulnerabilities in Microsoft SharePoint. 

The hackers left the victim a ransom note on Sunday claiming they had encrypted files using the 4L4MD4R ransomware. The note warned that any attempt to decrypt the files would result in their deletion.

The hackers used PowerShell commands to disable real-time monitoring in Windows Defender, according to Palo Alto Networks researchers. The intruders also bypassed certificate validation.

“If successfully executed, the malware encrypts files and displays a ransom note that identifies itself as 4L4MD4R ransomware with a demand for payment in Bitcoin and several alternative cryptocurrencies,” said Andy Piazza, senior director of threat intelligence at Palo Alto Networks’ Unit 42.

The company is still investigating the identity of the attacker and whether they have deployed ransomware against other targets.

On Thursday, researchers from Shadowserver reported 17,000 Sharepoint instances that were exposed on the internet, 840 of which still had the critical vulnerability tracked as CVE-2025-53770, which hackers have been exploiting for weeks. 

Shadowserver said at least 20 of those vulnerable servers contained webshells suggesting the presence of hackers. 

In July, researchers said there were at least 300 known compromises worldwide, including at key U.S. government agencies. 

The ransomware attempt tied to a SharePoint attack marks another worrisome dimension to the ongoing attack campaign. Microsoft researchers previously warned that the SharePoint vulnerability had attracted the interest of China-backed hackers.

Palo Alto Networks researchers said the ransomware attack appeared to be unrelated to nation-state activity. Researchers from Google and other firms previously warned of opportunistic attacks targeting vulnerable SharePoint instances.