Global Cyber Attack by Warlock Ransomware Spreading Through Exploit in SharePoint Tool

By mid-2025, the Warlock ransomware has spread its tentacles across continents, affecting organizations in North America, Europe, Asia, and Africa. The malicious software has impacted various industries, causing widespread disruption.

The attackers behind Warlock employ a stealthy command and control (C2) channel within the compromised environment, using a Cloudflare binary that has been renamed to evade detection. This allows them to maintain control over the infected systems.

Microsoft reported on July 23 that a Chinese-based actor, Storm-2603, was distributing Warlock ransomware on exploited SharePoint on-premises servers. This revelation marked the public emergence of the ransomware.

The ransomware operators have been found to extensively target the Microsoft SharePoint ToolShell vulnerability to hit victims globally. Upon infiltration, the attackers first establish higher privileges by creating a new Group Policy Object (GPO) within the domain.

Remote services such as Server Message Block (SMB) are used to copy payloads and tools across machines. The "guest" account is added to the local "administrators" group, granting it administrative privileges. This account is then activated on a Windows machine and modified to enable access.

The ransomware forcibly terminates several legitimate processes and services to maximise system disruption and eliminate potential recovery mechanisms. Windows Command Shell is used to execute script files and batch jobs.

Once in a network, the attackers also conduct extensive reconnaissance to plan lateral movement, including gathering network configurations and determining current user and privilege context. The data exfiltration process is conducted using RClone, a legitimate open-source file synchronization tool, and disguised as TrendSecurity.exe in an inconspicuous directory to evade detection.

Researchers urge organizations to promptly patch their on-premises SharePoint servers and deploy layered detection capabilities to defend against the Warlock ransomware threat. Warlock ransomware appears to be a customized derivative of the leaked LockBit 3.0 builder.

Warlock affiliates use a sequence of sophisticated post-exploitation techniques, resulting in ransomware deployment and data exfiltration. Attackers, using Warlock ransomware, are able to rapidly gain code execution capabilities and escalate privileges, move laterally within the system, and deliver disruptive ransomware at scale.

The organization first attacked by Warlock ransomware on July 23, 2025, was Colt Telecom, a telecommunications company in Luxembourg. The group's victim list, based on its leak site data, includes organizations from technology to critical infrastructure.

On August 20, Trend Micro reported that Warlock had quickly established itself in the cybercriminal landscape, leading up to the ToolShell exploits. Warlock made its public debut on the Russian-language RAMP forum in early June 2025, advertising itself to potential affiliates.

Warlock claimed credit for an August 2025 attack on UK telecoms firm Colt Technology Services. The attackers also enabled remote desktop protocol (RDP) access by setting the fdenytsconnections value at HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server to 0.

In conclusion, the Warlock ransomware poses a significant threat to organizations worldwide. It is crucial for businesses to prioritize patching their on-premises SharePoint servers and implementing robust detection capabilities to safeguard against this malicious software.

Global Cyber Attack by Warlock Ransomware Spreading Through Exploit in SharePoint Tool