Global Attack of Warlock Ransomware Via SharePoint ToolShell Vulnerability Impacting Targets Worldwide
In a recent cybersecurity alert, Microsoft revealed that a Chinese-based threat actor, known as Storm-2603, has been distributing the Warlock ransomware on exploited SharePoint on-premises servers. This news comes as the Warlock ransomware operators have been targeting the Microsoft SharePoint ToolShell vulnerability globally, causing significant disruption to various industries worldwide.
The Warlock ransomware operators have been using a sequence of sophisticated post-exploitation techniques to deploy the ransomware and exfiltrate data. One such method involves the use of RClone, a legitimate open-source file synchronization tool, for data exfiltration.
Once inside a network, the attackers first establish higher privileges by creating a new Group Policy Object (GPO) within the domain. They then activate the built-in "guest" account on a Windows machine and modify its password, granting themselves administrative privileges.
The attackers also set up a stealthy command and control (C2) channel inside the compromised environment, using a Cloudflare binary that has been renamed to evade detection. This allows them to maintain control and issue commands to the infected systems.
To maximize system disruption and eliminate potential recovery mechanisms, the ransomware forcibly terminates several legitimate processes and services. Remote services such as Server Message Block (SMB) are used to copy payloads and tools across machines, aiding the lateral movement of the attackers within the network.
The Warlock ransomware deployment is enabled by copying the ransomware binary into public folders on multiple endpoints via the Ingress transfer tool. The threat actor conducts extensive reconnaissance within the victim environment to plan lateral movement and ensure the successful deployment of the ransomware.
Warlock made its public debut on the Russian-language RAMP forum in early June 2025. Since then, the group has expanded its victim list rapidly, with organisations in North America, Europe, Asia, and Africa being affected. The attackers have been particularly successful in the telecommunications industry, with Warlock claiming credit for an August 2025 attack on UK telecoms firm Colt Technology Services.
Microsoft warned SharePoint customers on July 23 that attackers were actively targeting the ToolShell exploit chain. The Warlock ransomware is developed by a threat actor potentially linked to the Black Basta ransomware group, but no specific individual leader has been publicly identified. The group emerged in early 2025 and is known for exploiting Microsoft SharePoint vulnerabilities to conduct high-impact ransomware attacks globally.
As the Warlock ransomware continues to pose a significant threat, it is crucial for organisations to stay vigilant and implement robust cybersecurity measures to protect against these types of attacks. Microsoft has recommended that SharePoint customers apply the latest security updates and use multi-factor authentication to strengthen their defences.
