SharePoint Zero-Days Exploited to Unleash Warlock Ransomware | #ransomware | #cybercrime

See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It

Dutch cybersecurity firm Eye Security first spotted late on July 18 attacks targeting two flaws in on-premises SharePoint software now tracked as CVE-2025-53770 and CVE-2025-53771, and known as ToolShell.

Based on six days of internet scans – from July 18 until Wednesday – Eye Security said it counted 27,000 on-premises SharePoint servers. It confirmed that at least 396 of those servers – across 145 unique organizations in 41 countries – were compromised.

“From the data, its clear this wasn’t a random or opportunistic campaign,” said Lodi Hensen, vice president of security operations at Eye Security. “The attackers knew exactly what they were looking for.”

Microsoft said the vulnerabilities have been exploited by known cyberespionage, intellectual property theft and ransomware groups (see: Microsoft Traces On-Premises SharePoint Exploits to China).

Microsoft said three different China-linked attackers targeted the exploit chain before it ushered out patches. They included two nation-state groups tracked as Linen Typhoon, aka APT27, Emissary Panda, which focuses on stealing intellectual property, Violet Typhoon, aka APT31 and Judgment Panda, which conducts cyberespionage. The third was a “China-based actor” Microsoft tracks as Storm-2603.

Microsoft’s security research group found that Storm-2603 exploited ToolShell, then infected targets with Warlock ransomware. Researchers said they’ve seen Warlock use LockBit and Warlock ransomware in previous attacks.

Warlock is a relatively new group, which appears to be run as a ransomware-as-a-service operation. Whether the Storm-2603 cluster of activity traces to the group’s owners and operators, or else a business affiliate that leases the ransomware in exchange for giving the operators a cut of every ransom paid, isn’t clear.

Allan Liska, a threat intelligence analyst at Recorded Future, said the first signs of Warlock date from June 10. Specifically, a message posted by the group to the Russian cybercrime forum RAMP with the subject line “If you want a Lamborghini, please contact me.”

Threat intelligence firm Kela’s Cyber Intelligence Center told Information Security Media Group that Warlock on June 10 posted 10 identified victims to its data-leak site, as well as nine unidentified victims, “with most linked to sectors such as professional services, manufacturing and government/public services.”

Whether these victims were legitimate, and how many unlisted victims might have already paid a ransom, wasn’t clear. Ransomware groups regularly lie or misstate the identity of their victims, and typically omit the names of victims who paid quickly (see: Ransomware Groups’ Data Leak Blogs Lie: Stop Trusting Them).

Warlock’s Tor data-leak site went offline by June 18, although it’s since stood up a negotiation portal and launched another new .onion data-leak blog, titled “Warlock Leaked Data Show,” that looks like the old one, Kela said.

Hack the Planet

Microsoft moved quickly once the attacks came to light. It released its first security alert about ToolShell on July 19. The company released patches for SharePoint Server Subscription Edition and 2019 on July 20, followed by a patch for SharePoint Server 2016 on July 21, alongside updated customer guidance for mitigating the vulnerabilities across all affected products.

Eye Security data shows a plurality of affected organizations, at 18% of the total, were in the United States, followed by Mauritius with 8%, Germany with 7% and France, Spain, the Netherlands and the United Kingdom each accounting for 3% to 5%.

Overall, attackers hit government agencies the hardest, accounting for 30% of known victims, followed by the education sector at 13%, software-as-a-service providers at 9% and telecommunications and power grid operators at 4% each.

Victims include the U.S. Department of Energy, including its semi-autonomous National Nuclear Security Administration, which maintains and designs the country’s nuclear weapons. The government said the hack didn’t appear to expose sensitive or classified data (see: US Nuclear Agency Breach Tied to SharePoint Zero-Days).

Security researchers released proof-of-concept exploit code by July 21, which nation-state groups and cybercrime outfits may now have adopted.

Even after Microsoft pushed patches, Eye Security said infections rose, suggesting that organizations hadn’t installed the patch or else hadn’t followed through to also follow mitigation advice detailed by Microsoft, which is mandatory for preventing attackers from maintaining any access they already gained.

As of Wednesday, which was about 48 to 72 hours after Microsoft released patches, the Shadowserver Foundation, which scans the internet looking for malicious activity, reported still seeing at least 424 on-premises SharePoint servers vulnerable to CVE-2025-53770 and CVE-2025-53771.