The Warlock ransomware operation first emerged in June 2025, following an advertisement on a Russian cybercrime forum titled “if you want a Lamborghini, please call me,” and quickly evolved into a notable ransomware-as-a-service (RaaS) operation.
The group operates via a closed, affiliate-style model, though public visibility into its internal structure is limited. Warlock activity has been tied to the China-based actor tracked as Storm-2603, which has deployed the ransomware in at least 11 confirmed incidents since mid-July 2025.
While Warlock has no confirmed lineage to earlier ransomware brands, its technical behavior and data extortion strategies bear similarities to legacy operations such as Black Basta. Warlock even claimed responsibility for attacks previously attributed to Black Basta, including incidents involving Arch-Con Corporation and Lactanet.
Initial access is gained through exploitation of Microsoft SharePoint zero-day vulnerabilities, specifically CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771, collectively referred to as the ToolShell exploit chain.
Once inside, attackers deploy the spinstall0.aspx web shell, along with variants such as spinstall1.aspx and spinstall2.aspx. This shell is hosted within the w3wp.exe process and is used to extract ASP.NET MachineKey material, maintain access, and stage the ransomware payload.
The attack chain includes credential theft using Mimikatz to extract secrets from LSASS memory, lateral movement with PsExec and Impacket, and deployment of the Warlock payload via Group Policy Object (GPO) modifications.
Persistence mechanisms involve scheduled tasks and abuse of Internet Information Services (IIS) components including suspicious .NET assemblies. Registry modifications are used to disable endpoint protections like Microsoft Defender.
Although encryption details such as the use of AES or RSA have not yet been disclosed, Warlock employs modern double-extortion tactics. Limited encryption is used to maximize disruption speed, while exfiltrated data is published on leak sites to coerce payment.
Public reporting has not yet detailed whether the group aggressively targets recovery mechanisms such as shadow copies or backup agents, though the extortion-driven model and enterprise-scale intrusions strongly suggest these are likely components of the attack flow.
As of late July 2025, Warlock has claimed responsibility for 19 victims across sectors including government, finance, manufacturing, technology, and consumer goods. The group claimed at least 16 attacks in its first month, with nearly half targeting government entities.
No ransom payment structures or affiliate revenue shares have been confirmed, but broader industry data suggests government-related ransomware incidents in 2025 carried an average demand of $2.4 million. It is likely that Warlock customizes its ransom pricing based on the victim profile.
The timeline of activity shows rapid escalation: from forum promotion in early June, to deployment of ToolShell exploits in mid-July, to wide scale targeting by late July. Microsoft, Eye Security, and Check Point reported that Warlock and Storm-2603 compromised over 400 SharePoint servers across 148 organizations within weeks of the first wave of attacks.
Warlock represents a fast-maturing ransomware operation distinguished by its reliance on high-impact zero-day exploits, data theft, and stealthy web shell deployment. Though attribution centers on the Storm-2603 actor, broader motivations and sponsor affiliations remain unconfirmed.
The group has already demonstrated the ability to disrupt high-profile and well-defended targets with precision, making it one of the most closely watched ransomware threats of 2025.
Halcyon eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.
