The Warlock ransomware group has intensified its operations by targeting unpatched on-premises Microsoft SharePoint servers, leveraging critical vulnerabilities to achieve remote code execution and initial network access.
This campaign, observed in mid-2025, involves sending crafted HTTP POST requests to upload web shells, facilitating reconnaissance, privilege escalation, and credential theft.
Initial Exploitation
Attackers exploit flaws like CVE-2023-27532 in outdated Veeam Backup software and recently disclosed SharePoint deserialization issues, enabling them to bypass authentication and pivot into enterprise environments.
Victims span multiple continents, including North America, Europe, Asia, and Africa, with sectors such as government, finance, manufacturing, technology, and critical infrastructure heavily impacted.
Warlock’s tactics echo those of groups like Black Basta, suggesting possible affiliations or rebranding, and demonstrate a rapid evolution from forum advertisements in June 2025 to sophisticated global attacks.
By abusing Group Policy Objects for privilege escalation, attackers create new GPOs, activate guest accounts, and add them to administrators groups, granting elevated access for further compromise.
Once inside, Warlock operators employ a multi-stage attack chain that includes defense evasion, discovery, credential access, and exfiltration.
They use built-in Windows tools like cmd.exe and nltest for domain trust enumeration, system information gathering via ipconfig and tasklist, and account discovery through net group commands.
Attack Chain
Credential dumping is achieved with Mimikatz to extract plaintext passwords from memory and by dumping SAM and SECURITY registry hives, often via tools like CrackMapExec.
Lateral movement occurs over SMB shares to copy payloads, including renamed binaries like vmtools.exe (detected as Trojan.Win64.KILLAV.I), which terminates security processes by installing a malicious driver named googleApiUtil64.sys and repeatedly killing targets listed in log.txt files.
Ransomware deployment appends the .x2anylock extension to encrypted files, drops ransom notes, and exfiltrates data using RClone disguised as TrendSecurity.exe to Proton Drive accounts.
The malware, a LockBit 3.0 derivative, avoids encrypting whitelisted extensions, directories, and specific system names to maintain operational stealth.
In prior chains, attackers used DLL sideloading with legitimate executables like MpCmdRun.exe and jcef_helper.exe to load malicious payloads, overwriting disks with writenull.exe to hinder recovery.
This attack underscores the risks of delayed patching and the need for layered defenses. Organizations should apply Microsoft patches for SharePoint vulnerabilities immediately and monitor for indicators like suspicious GPO modifications, unauthorized RDP enables, or protocol tunneling via renamed Cloudflare binaries.
According to the report, Trend Micro’s Vision One platform provides detection of Warlock IOCs through threat hunting queries, intelligence updates, and proactive rules that block exploitation attempts, process terminations, and exfiltration.
Continuous monitoring for credential dumping, lateral movement, and abnormal command executions is essential, alongside restricting administrative shares and maintaining up-to-date security signatures to counter evolving ransomware variants like Warlock.
Indicators of Compromise (IOCs)
| SHA-1 Hash | Detection Name |
|---|---|
| 0bbbf2a9d49152ac6ad755167ccb0f2b4f00b976 | Ransom.Win32.WARLOCK.A.note |
| cf0da7f6450f09c8958e253bd606b83aa80558f2 | Ransom.Win32.WARLOCK.A |
| 8b13118b378293b9dc891b57121113d0aea3ac8a | Ransom.Win32.WARLOCK.A |
| 0488509b4dbc16dcb6d5f531e3c8b9a59b69e522 | Trojan.Win64.KILLAV.I |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
