Focus: Warlock Ransomware
Cross-sector: Government / Education / Technology
Who is Warlock Ransomware?
Warlock is a financially motivated ransomware strain deployed by Storm‑2603, a suspected China‑based threat actor. Leveraging the high‑impact “ToolShell” SharePoint exploit chain (CVE‑2025‑49706 and CVE‑2025‑49704, plus bypasses CVE‑2025‑53770/53771), Storm‑2603 has deployed Warlock ransomware on compromised on‑premises SharePoint servers beginning around July 18, 2025.
Microsoft attributes the activity to multiple Chinese-affiliated groups—including Linen Typhoon, Violet Typhoon, and Storm‑2603, noting that Storm‑2603 has previously deployed both Warlock and LockBit variants.
Sectors Under Fire
At least 400 SharePoint servers (across over 148 organizations) have been compromised globally, including U.S. federal agencies such as the National Nuclear Security Administration, Department of Education, and Department of Health and Human Services.
Evolving TTPs: The SharePoint Attack Chain
- Exploitation of SharePoint zero‑days –
CVE‑2025‑49704 (RCE) and CVE‑2025‑49706 (spoofing), along with public bypasses CVE‑2025‑53770/53771.  - ToolShell web shell deployment –
attackers upload variants like spinstall0.aspx, spinstall1.aspx, using w3wp.exe process for code execution and stealing ASP.NET machine key material. - Recon and privilege validation –
commands like whoami via w3wp.exe.  - Defender disablement –
services.exe used to change registry and disable Microsoft Defender protections. - Persistence –
scheduled tasks and modification of IIS configuration to launch disguised .NET assemblies.  - Credential theft and lateral movement –
Mimikatz, LSASS scraping, PsExec, Impacket toolkit, WMI.  - Mass ransomware deployment –
modifying GPOs to deploy Warlock across infected networks via storm‑2603.
How BlackFog Stops Warlock
Real-time protection for stealthy, cloud-based threats
Blocks Ransomware via SharePoint Attack Chain: Inspects and halts suspicious outbound uploads, even via trusted platforms like SharePoint, preventing data theft or ransomware staging.
Detects Living‑off‑the‑Land and Fileless Techniques: Behavior‑based AI identifies PowerShell, w3wp.exe misuse, web shell activity, and scheduled tasks; all key elements of the ToolShell delivery chain.
Disrupts Lateral Movement and Policy Abuse: Anomaly detection and IP/domain restrictions stop tools like PsExec, Impacket, or GPO-based ransomware deployment before execution.
Tamper‑Resistant + Non‑Signature Detection: Blocks advanced persistence using IIS modifications, .NET assemblies, and stealth credential tools without relying solely on signatures.
BlackFog vs Warlock Ransomware
|
Threat Vector |
Warlock / Storm-2603 Tactic |
BlackFog Countermeasure |
|
Initial Access |
Exploiting SharePoint |
Real-time detection of web shell uploads, endpoint filtering |
|
Web Shell & |
spinstall0.aspx, scheduled tasks, IIS modifications |
Behavioral monitoring, process isolation |
|
Defender Evasion |
services.exe manipulates registry to disable Defender |
Tamper detection and Defender restoration alerts |
|
Recon & Credential Theft |
whoami, LSASS scraping via Mimikatz |
Memory protection, anomaly detection, credential exfil prevention |
|
Lateral Movement |
PsExec, Impacket, WMI; GPObased ransomware deployment |
Blocking lateral tools, GPO |
|
Ransomware Deployment |
Mass deployment of Warlock payload across domain via GPO |
Policy enforcement, real-time execution blocking |
Urgent Actions Recommended by Microsoft & CISA
Microsoft and CISA advise organizations with internet-facing on-prem SharePoint servers to:
- Apply cumulative security updates for SharePoint 2016, 2019, and Subscription Edition (addressing CVE‑2025‑49706, 49704, 53770, 53771) Â
- Enable AMSI (Full‑Mode) and deploy Defender Antivirus + Defender for Endpoint Â
- Rotate ASP.NET machine keys & restart IIS on all servers Â
- Operate under the assumption of compromise, and activate incident response plans immediately
Why BlackFog?
In a cyber landscape increasingly shaped by human-operated threats, organizations need more than reactive alerts, they need 24/7 real-time prevention. BlackFog delivers exactly that.
With its unique anti data exfiltration (ADX) technology, AI based behavioral threat detection, and dynamic blocking capabilities, BlackFog helps organizations prevent breaches by ensuring unauthorized data never leaves the network.
For organizations with lean internal teams, BlackFog’s vCISO services provide expert leadership, streamlined incident response, and compliance-ready reporting, all tailored to the demands of that specific industry.
Ready to Learn More?Â
Visit blackfog.com or contact us at sales@blackfog.com
Share This Story, Choose Your Platform!
Related Posts
The State of Ransomware 2025
BlackFog's state of ransomware report 2025 measures publicly disclosed and non-disclosed attacks globally.
Confronting Warlock Ransomware: BlackFog’s Prevention First Strategy in Action
Warlock ransomware exploits SharePoint flaws for mass attacks. BlackFog stops exfiltration, web shells, and GPO-based payloads in real-time.
Taking Down Interlock Ransomware: BlackFog’s Prevention First Approach
Interlock ransomware targets healthcare, education, and manufacturing with ClickFix and RATs. BlackFog stops data theft before it starts.
Understanding The Com: A New Cybercrime Model
The Com’s hacker cells fuel threats like Scattered Spider. BlackFog thwarts their phishing, SIM swaps, and data theft with real-time prevention.
Stopping Scattered Spider: BlackFog’s Resilient Defense
Scattered Spider now targets U.S. insurers with stealthy data theft and extortion. Traditional defenses won’t stop this sophisticated threat.
Ransom Demands: The Fight Against Payment vs Data
Ransomware attacks are increasing, but fewer businesses are choosing to pay the ransom demands. Learn why victims are saying no, how cybercriminals are changing their methods, and what this means for keeping data safe.