Warlock ransomware is exploiting Microsoft SharePoint vulnerabilities to infiltrate enterprise environments. Attackers gain initial access by uploading web shells through targeted HTTP POST requests, then escalate privileges via Group Policy abuse and compromised accounts. They conduct reconnaissance, steal credentials using tools like Mimikatz, and move laterally with Windows administrative shares and remote services. To disable defenses, they deploy custom malware such as KillAV, which terminates security processes, before encrypting files with the .x2anylock extension and exfiltrating sensitive data using RClone disguised as legitimate software. Active since mid-2025, Warlock has impacted organizations worldwide across industries including government, technology, finance, and critical infrastructure.
Type
Campaign
Actors
Warlock operator
Pub. date
August 20, 2025
Initial access
1-day vulnerability
Impact
RansomOp
Observed techniques
Vulnerability exploitationWebshell deployment
Observed tools
Warlock ransomwareMimikatz
Targeted technologies
SharePoint
References
https://www.trendmicro.com/en_us/research/25/h/warlock-ransomware.html
Status
Finalized
Last edited
Aug 21, 2025 12:59 PM