Focus: Warlock Ransomware
Cross-sector: Government / Education / Technology
Who is Warlock Ransomware?
Warlock is a financially motivated ransomware strain deployed by Storm‑2603, a suspected China‑based threat actor. Leveraging the high‑impact “ToolShell” SharePoint exploit chain (CVE‑2025‑49706 and CVE‑2025‑49704, plus bypasses CVE‑2025‑53770/53771), Storm‑2603 has deployed Warlock ransomware on compromised on‑premises SharePoint servers beginning around July 18, 2025.
Microsoft attributes the activity to multiple Chinese-affiliated groups—including Linen Typhoon, Violet Typhoon, and Storm‑2603, noting that Storm‑2603 has previously deployed both Warlock and LockBit variants.
Sectors Under Fire
At least 400 SharePoint servers (across over 148 organizations) have been compromised globally, including U.S. federal agencies such as the National Nuclear Security Administration, Department of Education, and Department of Health and Human Services.
Evolving TTPs: The SharePoint Attack Chain
- Exploitation of SharePoint zero‑days –
CVE‑2025‑49704 (RCE) and CVE‑2025‑49706 (spoofing), along with public bypasses CVE‑2025‑53770/53771.  - ToolShell web shell deployment –
attackers upload variants like spinstall0.aspx, spinstall1.aspx, using w3wp.exe process for code execution and stealing ASP.NET machine key material. - Recon and privilege validation –
commands like whoami via w3wp.exe.  - Defender disablement –
services.exe used to change registry and disable Microsoft Defender protections. - Persistence –
scheduled tasks and modification of IIS configuration to launch disguised .NET assemblies.  - Credential theft and lateral movement –
Mimikatz, LSASS scraping, PsExec, Impacket toolkit, WMI.  - Mass ransomware deployment –
modifying GPOs to deploy Warlock across infected networks via storm‑2603.
How BlackFog Stops Warlock
Real-time protection for stealthy, cloud-based threats
Blocks Ransomware via SharePoint Attack Chain: Inspects and halts suspicious outbound uploads, even via trusted platforms like SharePoint, preventing data theft or ransomware staging.
Detects Living‑off‑the‑Land and Fileless Techniques: Behavior‑based AI identifies PowerShell, w3wp.exe misuse, web shell activity, and scheduled tasks; all key elements of the ToolShell delivery chain.
Disrupts Lateral Movement and Policy Abuse: Anomaly detection and IP/domain restrictions stop tools like PsExec, Impacket, or GPO-based ransomware deployment before execution.
Tamper‑Resistant + Non‑Signature Detection: Blocks advanced persistence using IIS modifications, .NET assemblies, and stealth credential tools without relying solely on signatures.
BlackFog vs Warlock Ransomware
|
Threat Vector |
Warlock / Storm-2603 Tactic |
BlackFog Countermeasure |
|
Initial Access |
Exploiting SharePoint |
Real-time detection of web shell uploads, endpoint filtering |
|
Web Shell & |
spinstall0.aspx, scheduled tasks, IIS modifications |
Behavioral monitoring, process isolation |
|
Defender Evasion |
services.exe manipulates registry to disable Defender |
Tamper detection and Defender restoration alerts |
|
Recon & Credential Theft |
whoami, LSASS scraping via Mimikatz |
Memory protection, anomaly detection, credential exfil prevention |
|
Lateral Movement |
PsExec, Impacket, WMI; GPObased ransomware deployment |
Blocking lateral tools, GPO |
|
Ransomware Deployment |
Mass deployment of Warlock payload across domain via GPO |
Policy enforcement, real-time execution blocking |
Urgent Actions Recommended by Microsoft & CISA
Microsoft and CISA advise organizations with internet-facing on-prem SharePoint servers to:
- Apply cumulative security updates for SharePoint 2016, 2019, and Subscription Edition (addressing CVE‑2025‑49706, 49704, 53770, 53771) Â
- Enable AMSI (Full‑Mode) and deploy Defender Antivirus + Defender for Endpoint Â
- Rotate ASP.NET machine keys & restart IIS on all servers Â
- Operate under the assumption of compromise, and activate incident response plans immediately
Why BlackFog?
In a cyber landscape increasingly shaped by human-operated threats, organizations need more than reactive alerts, they need 24/7 real-time prevention. BlackFog delivers exactly that.
With its unique anti data exfiltration (ADX) technology, AI based behavioral threat detection, and dynamic blocking capabilities, BlackFog helps organizations prevent breaches by ensuring unauthorized data never leaves the network.
For organizations with lean internal teams, BlackFog’s vCISO services provide expert leadership, streamlined incident response, and compliance-ready reporting, all tailored to the demands of that specific industry.
Ready to Learn More?Â
Visit blackfog.com or contact us at sales@blackfog.com
Share This Story, Choose Your Platform!
Related Posts
Ransomware On Collins Aerospace Halts Check-In At Major Airports
In September 2025, Collins Aerospace was hit by ransomware, disrupting check-in at European airports with delays, cancellations, and manual operations.
Infostealers Explained: The Hidden Gateway to Ransomware
Infostealers compromise credentials and open the door to ransomware. Learn what they are, how they work, and key steps to keep your business safe.
Data Poisoning Attacks: How Hackers Target AI-Driven Business Systems
Data poisoning corrupts the information resources that AI systems rely on. Learn how this growing threat works, why it matters and what steps your business can take to defend against it.
What is Cyber Resiliency and Why Does it Matter in 2025?
Discover why cyber resiliency is vital in 2025 as firms face complex threats. Learn how businesses can adapt, recover and protect trust.
The Interlock Ransomware Problem Security Teams Can’t Ignore
Interlock ransomware is disrupting healthcare, cities, and infrastructure in 2025 with fake update lures, data theft, and double extortion tactics.
Effective Data Security Management: Strategies and Best Practices
What must firms do to develop an effective data security management strategy? Here are some key best practices to follow.