Skip to content
Focus: Warlock Ransomware
Cross-sector: Government / Education / Technology
Who is Warlock Ransomware?
Warlock is a financially motivated ransomware strain deployed by Storm‑2603, a suspected China‑based threat actor. Leveraging the high‑impact “ToolShell” SharePoint exploit chain (CVE‑2025‑49706 and CVE‑2025‑49704, plus bypasses CVE‑2025‑53770/53771), Storm‑2603 has deployed Warlock ransomware on compromised on‑premises SharePoint servers beginning around July 18, 2025.
Microsoft attributes the activity to multiple Chinese-affiliated groups—including Linen Typhoon, Violet Typhoon, and Storm‑2603, noting that Storm‑2603 has previously deployed both Warlock and LockBit variants.
Sectors Under Fire
At least 400 SharePoint servers (across over 148 organizations) have been compromised globally, including U.S. federal agencies such as the National Nuclear Security Administration, Department of Education, and Department of Health and Human Services.
Evolving TTPs: The SharePoint Attack Chain
- Exploitation of SharePoint zero‑days –
CVE‑2025‑49704 (RCE) and CVE‑2025‑49706 (spoofing), along with public bypasses CVE‑2025‑53770/53771.  - ToolShell web shell deployment –
attackers upload variants like spinstall0.aspx, spinstall1.aspx, using w3wp.exe process for code execution and stealing ASP.NET machine key material. - Recon and privilege validation –
commands like whoami via w3wp.exe.  - Defender disablement –
services.exe used to change registry and disable Microsoft Defender protections. - Persistence –
scheduled tasks and modification of IIS configuration to launch disguised .NET assemblies.  - Credential theft and lateral movement –
Mimikatz, LSASS scraping, PsExec, Impacket toolkit, WMI.  - Mass ransomware deployment –
modifying GPOs to deploy Warlock across infected networks via storm‑2603.
How BlackFog Stops Warlock
Real-time protection for stealthy, cloud-based threats
Blocks Ransomware via SharePoint Attack Chain: Inspects and halts suspicious outbound uploads, even via trusted platforms like SharePoint, preventing data theft or ransomware staging.
Detects Living‑off‑the‑Land and Fileless Techniques: Behavior‑based AI identifies PowerShell, w3wp.exe misuse, web shell activity, and scheduled tasks; all key elements of the ToolShell delivery chain.
Disrupts Lateral Movement and Policy Abuse: Anomaly detection and IP/domain restrictions stop tools like PsExec, Impacket, or GPO-based ransomware deployment before execution.
Tamper‑Resistant + Non‑Signature Detection: Blocks advanced persistence using IIS modifications, .NET assemblies, and stealth credential tools without relying solely on signatures.
BlackFog vs Warlock Ransomware
|
Threat Vector |
Warlock / Storm-2603 Tactic |
BlackFog Countermeasure |
|
Initial Access |
Exploiting SharePoint |
Real-time detection of web shell uploads, endpoint filtering |
|
Web Shell & |
spinstall0.aspx, scheduled tasks, IIS modifications |
Behavioral monitoring, process isolation |
|
Defender Evasion |
services.exe manipulates registry to disable Defender |
Tamper detection and Defender restoration alerts |
|
Recon & Credential Theft |
whoami, LSASS scraping via Mimikatz |
Memory protection, anomaly detection, credential exfil prevention |
|
Lateral Movement |
PsExec, Impacket, WMI; GPObased ransomware deployment |
Blocking lateral tools, GPO |
|
Ransomware Deployment |
Mass deployment of Warlock payload across domain via GPO |
Policy enforcement, real-time execution blocking |
Urgent Actions Recommended by Microsoft & CISA
Microsoft and CISA advise organizations with internet-facing on-prem SharePoint servers to:
- Apply cumulative security updates for SharePoint 2016, 2019, and Subscription Edition (addressing CVE‑2025‑49706, 49704, 53770, 53771) Â
- Enable AMSI (Full‑Mode) and deploy Defender Antivirus + Defender for Endpoint Â
- Rotate ASP.NET machine keys & restart IIS on all servers Â
- Operate under the assumption of compromise, and activate incident response plans immediately
Why BlackFog?
In a cyber landscape increasingly shaped by human-operated threats, organizations need more than reactive alerts, they need 24/7 real-time prevention. BlackFog delivers exactly that.
With its unique anti data exfiltration (ADX) technology, AI based behavioral threat detection, and dynamic blocking capabilities, BlackFog helps organizations prevent breaches by ensuring unauthorized data never leaves the network.
For organizations with lean internal teams, BlackFog’s vCISO services provide expert leadership, streamlined incident response, and compliance-ready reporting, all tailored to the demands of that specific industry.
Ready to Learn More?Â
Visit blackfog.com or contact us at sa***@******og.com
Share This Story, Choose Your Platform!
Related Posts
ClawdBot and OpenClaw: When Local AI Becomes A Data Exfiltration Goldmine
ClawdBot stores API keys, chat histories, and user memories in plaintext files, and infostealers like RedLine, Lumma, and Vidar are already targeting it.
West Harlem Group Assistance Stops Ransomware and Cryptojacking with BlackFog ADX
West Harlem Group Assistance secures its community mission by preventing ransomware and cryptojacking with BlackFog ADX.
Why Traditional Security Fails To Deal With Advanced Persistent Threats
Learn why advanced persistent threats remain a growing cybersecurity risk in 2026 and where organizations must focus to address them.
What Does Advanced Threat Protection Really Mean In 2026?
Find out why businesses need advanced threat protection to cope with the new era of sophisticated, persistent cyber risks.
How Can You Prevent Viruses And Malicious Code Today?
Preventing viruses and malicious code is harder than ever in a landscape where APTs are a growing threat. Here's what you need to know to stay safe.
Security Vulnerabilities That Enable Persistent Cyber Threats
Understanding the most common security vulnerabilities that enable advanced persistent threats is critical to protecting businesses in 2026.