Warlock Ransomware: How a New Group Is Weaponizing Unpatched SharePoint Servers

A newly detailed report from Trend Micro has revealed how the Warlock ransomware group is weaponizing vulnerable Microsoft SharePoint servers in a series of global attacks. The group, which surfaced in mid-2025, has already impacted organizations spanning technology, government, and critical infrastructure.

The Warlock ransomware operators announced themselves in June 2025 on the Russian-language RAMP forum with a bold tagline: “If you want a Lamborghini, please contact me.” Within days, they had claimed at least 16 victims, half of them government agencies in Portugal, Croatia, and Turkey.

By mid-2025, Warlock’s victim list had expanded across North America, Europe, Asia, and Africa, striking industries from finance and manufacturing to critical infrastructure. Trend Micro notes, “Based on earlier reports, Warlock’s list of victims include organizations across North America, Europe, Asia, and Africa, spanning industries from technology to critical infrastructure.”

Warlock’s latest campaign demonstrates a sophisticated, multi-stage attack lifecycle:

• Initial Access: The attackers exploit unpatched, internet-facing Microsoft SharePoint servers. “Warlock ransomware operators exploited vulnerable Microsoft SharePoint servers, using targeted HTTP POST requests to upload web shells, enabling reconnaissance and credential theft.”
• Privilege Escalation: They abuse Group Policy Objects (GPOs), modify guest accounts, and escalate privileges across the domain.
• Execution: Malicious batch files are delivered using Windows Command Shell, copying ransomware binaries and executing scripts designed to disable defenses.
• Defense Evasion: The attackers deploy Trojan.Win64.KILLLAV.I, a process-killing tool that targets Trend Micro security software.
• Discovery and Credential Theft: Using tools like Mimikatz, the group extracts plaintext credentials, dumps Windows registry hives, and maps domain trusts.
• Lateral Movement: Leveraging SMB shares and enabling RDP access, they spread the payload across systems.
• Impact: Files are encrypted with the extension .x2anylock, with ransom notes titled “How to decrypt my data.txt” left behind. Data is exfiltrated using RClone, disguised as “TrendSecurity.exe.”

Trend Micro researchers suggest Warlock may have ties to the Black Basta ransomware group. “While connection remains unconfirmed, similarities in tactics, negotiation styles, and victimology hint at a possible offshoot or rebrand.”

Technical analysis also revealed Warlock’s codebase appears derived from the leaked LockBit 3.0 builder, which was made public in 2022. In some incidents, researchers observed Storm2603 operators deploying both LockBit Black and Warlock in the same attack chains.

Trend Micro emphasizes that this campaign underscores the dangers of delayed patching. The report stresses immediate patching of on-premises Microsoft SharePoint servers.

Trend Micro concludes, “The Warlock ransomware attack provides a case study in the speed and depth with which adversaries can compromise unpatched enterprise environments.”

Related Posts:

• Storm-2603: Chinese APT Deploys Warlock & LockBit with AK47C2 Framework
• The AK47 Project: New Report Ties Storm-2603 to LockBit and Warlock Ransomware, SharePoint Exploits
• Microsoft’s September Patch Tuesday: A Patchwork of Urgency with 4 Zero-Days Under Attack
• CVE-2024-38094 Exploited: Attackers Gain Domain Access via Microsoft SharePoint Server
• SharePoint Server Under Active Zero-Day Attack (CVE-2025-53770, CVSS 9.8), No Patch Yet!

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy