{"id":2330,"date":"2026-01-29T17:01:15","date_gmt":"2026-01-29T16:01:15","guid":{"rendered":"https:\/\/showcase-preprod.neverhack.dev\/b\/?p=2330"},"modified":"2026-02-13T10:39:13","modified_gmt":"2026-02-13T09:39:13","slug":"ransomware-warlock-a-global-cyber-threat-exploiting-sharepoint","status":"publish","type":"post","link":"https:\/\/neverhack.com\/b\/en\/blog\/ransomware-warlock-a-global-cyber-threat-exploiting-sharepoint\/","title":{"rendered":"Ransomware warlock: a global cyber threat exploiting SharePoint"},"content":{"rendered":"\n


Discovered in June 2025, Warlock<\/strong> is a particularly aggressive ransomware operation based on double extortion<\/strong>: victims\u2019 data is first exfiltrated and then encrypted, with the threat of publication on the Dark Web.
The group operates its own leak site, known as a Leaked Data Show (DLS)<\/strong>, where data from organizations that refuse to pay is publicly exposed.<\/p>\n\n\n\n

An entry point: sharePoint vulnerabilities<\/h2>\n\n\n\n

Initial access relies on the ToolShell vulnerability chain<\/strong> affecting Microsoft SharePoint on-premise.
Attackers deploy a webshell, most commonly spinstall0.asp<\/strong>, via targeted HTTP POST requests.
Once the infrastructure is compromised, they copy their tools into and create a Group Policy Object (GPO)<\/strong> to ensure persistence.
Microsoft has linked these operations to several China-based threat groups<\/strong>, notably Storm-2603<\/strong>, previously observed using LockBit, as well as Linen Typhoon (APT27)<\/strong> and Violet Typhoon (APT31)<\/strong>.<\/p>\n\n\n\n

The warlock attack chain<\/h2>\n\n\n\n

After intrusion, the malicious script enables the Windows Guest<\/strong> account, changes its password, and grants it administrator privileges<\/strong>.

The attackers then conduct a reconnaissance phase, inventorying the network, domain controllers, installed applications, and available file shares.

Next comes defense neutralization<\/strong>: tools such as vmtools.exe<\/strong> (Trojan.Win64.KILLLAV.I) are downloaded, the googleApiUtil64.sys<\/strong> driver is installed to remove security solutions, and firewall rules are modified.

For data exfiltration, Warlock uses RClone<\/strong>, often renamed (e.g., TrendSecurity.exe<\/em>), to transfer data to anonymous storage services such as Proton Drive<\/strong>.

Persistence is reinforced through GPOs, scheduled tasks, and the installation of Cloudflare.exe<\/strong>, which establishes an encrypted tunnel to command-and-control servers.
Credentials are stolen using Mimikatz<\/strong>, followed by lateral movement with PsExec<\/strong> or Impacket<\/strong>. Registry keys are also modified to disable Network Level Authentication (NLA)<\/strong>, further weakening security.<\/p>\n\n\n\n

Encryption and extortion<\/h2>\n\n\n\n

The ransomware payload, derived from the LockBit 3.0 builder<\/strong>, is then deployed across the entire network. Files are encrypted and given the extensions .x2anylock<\/strong> or .xlockxlock<\/strong>, along with a ransom note titled How to decrypt my data.txt<\/em>.

The note contains a .onion link<\/strong> and a Tox ID<\/strong> to initiate ransom negotiations.
Even fully patched SharePoint environments<\/strong> have been compromised via a Veeam Backup vulnerability (CVE-2023-27532)<\/strong>, demonstrating the group\u2019s adaptability.<\/p>\n\n\n\n

High-profile victims<\/h2>\n\n\n\n

Warlock already claims dozens of victim organizations across the telecommunications, finance, industrial, and public sectors<\/strong>.

Attacks against Colt Technology Services<\/strong> and especially Orange<\/strong> received widespread media coverage, with sample datasets publicly advertised for sale. This marks the fourth cyberattack <\/a>suffered by Orange in 2025<\/strong>.

Overall, more than 400 organizations<\/strong> are believed to have been compromised via ToolShell, and the list of victims continues to grow.<\/p>\n\n\n\n

Cybersecurity recommendations<\/h2>\n\n\n\n