Global Warlock Ransomware Spreads via SharePoint Exploit
▼ Summary
– Warlock ransomware operators exploited the Microsoft SharePoint ToolShell vulnerability to target unpatched organizations globally.
– The group rapidly evolved from its debut in June 2025 to attack organizations across multiple continents and industries, including critical infrastructure.
– Attackers used sophisticated post-exploitation techniques to escalate privileges, move laterally, deploy ransomware, and exfiltrate data.
– Warlock ransomware is a customized derivative of the leaked LockBit 3.0 builder and forcibly terminates processes to maximize disruption.
– Researchers urge organizations to promptly patch on-premises SharePoint servers and deploy layered detection capabilities.
A sophisticated global ransomware campaign known as Warlock is actively exploiting a critical Microsoft SharePoint vulnerability, enabling attackers to rapidly compromise networks, escalate privileges, and deploy file-encrypting malware across a wide range of industries. Security researchers at Trend Micro have documented the group’s aggressive tactics, which leverage unpatched on-premises servers to inflict widespread disruption.
The group’s operations gained momentum following the emergence of the ToolShell vulnerability, a flaw in SharePoint that permits unauthorized remote code execution. Microsoft had previously alerted customers about active attacks targeting this exploit chain. By mid-2025, Warlock’s reach expanded dramatically, with victims spanning North America, Europe, Asia, and Africa. Sectors including technology, telecommunications, and critical infrastructure have all been impacted.
Warlock first appeared on cybercrime forums in early June 2025, promoting its services with flashy promises of high earnings to potential affiliates. In a short time, the group evolved from a newcomer into a significant global threat. One notable attack attributed to the group targeted Colt Technology Services, a major UK telecom provider, in August 2025.
The attack methodology is both systematic and stealthy. After initial access through the SharePoint flaw, attackers move quickly to establish persistence and broaden their control. They create a new Group Policy Object, reactivate and modify the built-in guest account to grant administrative privileges, and establish disguised command-and-control channels, sometimes using renamed legitimate tools like Cloudflare binaries to avoid suspicion.
Extensive reconnaissance follows, with the actors mapping network configurations, user privileges, and system details to plan lateral movement. Using remote services like SMB, they distribute malicious payloads across machines. They also enable Remote Desktop Protocol (RDP) access to maintain remote control.
The final stage involves deploying the ransomware binary across multiple endpoints, often using public folders for distribution. The malware then encrypts files and drops a ransom note titled “How to decrypt my data.txt.” To increase disruption, it forcibly terminates processes and services that could aid recovery.
Warlock’s ransomware appears to be based on a modified version of the leaked LockBit 3.0 builder. For data theft, the group uses RClone, a legitimate file-syncing tool, sometimes disguising the executable to blend into the environment.
Security experts strongly recommend that organizations apply available patches for on-premises SharePoint servers without delay. Implementing layered security defenses, including endpoint detection and network monitoring, is also critical to mitigating this advanced and rapidly spreading threat.
(Source: Info Security)
