Precision Blitzkrieg
Warlock ransomware (aka Storm 2603, Warlock Dark Army, GOLD SALEM, FIN11, TA505, Dungeon Spider, UNC902) emerged in the wild March 2025 and has since published dozens of victims, ramping up quickly and successfully in the world of ransomware eCrime. Note that attribution is complicated, with collision of various names identified, where Warlock is clearly a new RaaS and threat payload.
Victims
Victims are diverse, big and small, largely spread across the Americas and Europe, following the money. Just over $2.4M in estimated extortion demands are documented from the data leak site and open-source intelligence in the first six months of probable operation.
Targeted RaaS Operations
Darkweb communications reveal the group actively sought exploitation of enterprise applications in a Russian-language Anonymous Market Place (RAMP) forum, such as SharePoint and Veeam, in June 2025, coupled with identity access brokers (IAB). This behavior can be indicative of two possible motives – direct intrusions and exploitation by the group itself or as part of a Ransomware as-a-Service (RaaS) operation supporting clients. The group is known to operate as a RaaS.
Exploitation & Payloads
Exploitation related to Warlock ransomware to date include but are not limited to the following vulnerabilities and initial payloads:
- CVE-2025-49704 (SharePoint RCE)
- CVE-2025-49706 (SharePoint Post-auth RCE)
- CVE-2025-53770 (SharePoint ToolShell Auth Bypass and RCE)
- CVE-2025-53771 (SharePoint ToolShell Path Traversal)
- spinstall0.aspx
- Cmd.exe
- W3wp.exe
- wsocks.exe.txt (actually an executable)
Bring Your Own Vulnerable Driver (BYOVD) technique is utilized during the initial kill web to bypass endpoint security (Baidu Antivirus driver renamed to googleApiUtil64.sys). Once EDR is terminated Defender is disabled via abuse of services.exe through the Windows registry. Once security services are disabled Warlock schedules tasks and persistence and then lands and expands for maximum impact.
Whoami, Mimikatz (LSASS credential theft), PsExec and Impacket are used for lateral movement leveraging the Group Policy Objects (GPO) to deploy ransomware across the network. Living off the Land (LoTL) tactics are also reported in open-source intelligence, including abuse of Velociraptor digital forensics and DFIR tool to tunnel through a network.
Ransomware Note
A copy of a Warlock ransomware note, from ransomware.live, is below:
We are [Warlock Group], a professional hack organization. We regret to inform you that your systems have been successfully infiltrated by us, and your critical data, including sensitive files, databases, and customer information, has been encrypted. Additionally, we have securely backed up portions of your data to ensure the quality of our services.
====>What Happened?
Your systems have been locked using our advanced encryption technology. You are currently unable to access critical files or continue normal business operations. We possess the decryption key and have backed up your data to ensure its safety.
====>If You Choose to Pay:
Swift Recovery: We will provide the decryption key and detailed guidance to restore all your data within hours.
Data Deletion: We guarantee the permanent deletion of any backed-up data in our possession after payment, protecting your privacy.
Professional Support: Our technical team will assist you throughout the recovery process to ensure your systems are fully restored.
Confidentiality: After the transaction, we will maintain strict confidentiality regarding this incident, ensuring no information is disclosed.
====>If You Refuse to Pay:
Permanent Data Loss: Encrypted files will remain inaccessible, leading to business disruptions and potential financial losses.
Data Exposure: The sensitive data we have backed up may be publicly released or sold to third parties, severely damaging your reputation and customer trust.
Ongoing Attacks: Your systems may face further attacks, causing even greater harm.
====>How to Contact Us?
Please reach out through the following secure channels for further instructions(When contacting us, please provide your decrypt ID):
###Contact 1:
Your decrypt ID: [snip]
Dark Web Link: xxp://zfytizegsze6uiswodhbaalyy5rawaytv2nzyzdkt3susbewviqqh7yd[.]onion/touchus.html
Your Chat Key: [snip]
You can visit our website and log in with your chat key to contact us. Please note that this website is a dark web website and needs to be accessed using the Tor browser. You can visit the Tor Browser official website (https://www.torproject.org/) to download and install the Tor browser, and then visit our website.
###Contact 2:
If you don’t get a reply for a long time, you can also download qtox and add our ID to contact us
Download:hxxps://qtox.github[.]io/
Warlock qTox ID: 84490152E99B9EC4BCFE16080AFCFD6FDCD87512027E85DB318F7B3440982637FC2847F71685
Our team is available 24/7 to provide professional and courteous assistance throughout the payment and recovery process.
We don’t need a lot of money, it’s very easy for you, you can earn money even if you lose it, but your data, reputation, and public image are irreversible, so contact us as soon as possible and prepare to pay is the first priority. Please contact us as soon as possible to avoid further consequences.
Antivirus Aliases
Antivirus detects Warlock ransomware as the following and/or related variations of aliases:
- Troj/Webshel-F
- Troj/Warlock-B
- SONAR.SuspBeh!gen616
- SONAR.SuspBeh!gen625
- SONAR.SuspTempRun
- SONAR.SuspTempRun
- Ransom.CryptoTorLocker
- Heur.AdvML.B
- Heur.AdvML
Data Leak Site (DLS)
Data leak site (TOR/.onion site) information is performed in batches, ranting from days to weeks, following compromise. Victims are given a countdown date for ransomware payment, typically about two weeks, affording time for victims to figure out how to pay if they are not ready (most are not ready to pay out). Many of the earliest victims are in government and telecommunications. Other primary sectors include agriculture and food production, consumer services, and financial services. Early on in the campaign top countries impacted are the US, Japan, Turkey, Poland, and Canada.
Attribution
Microsoft has moderate confidence that Warlock is a China-based threat actor, with no links to other Chinese actors. Actors clearly employed a Russian-language actor in a RAMP forum in June 2025 as part of initial enablement for targeting and attack technologies and verticals of interest, part of their success. SharePoint targeting and exploitation is one of the keys to success for this emergent ransomware family, with extensive MITRE ATT&CK documentation and countermeasures in place by Microsoft.
Summary
Warlock reveals an improvement in maturity of tactics and strategy by malicious actors. Tools are mature, but so is the strategy, focus, and plans for how they target and attack with high-impact zero-day exploits, data theft, and web shell deployment. Attacks are swift and stealthy, deadly to mature organizations expecting their tools to provide visibility, subverted through targeted zero-day attacks, driver vulnerability abuse, living off the land tactics and more to maximize success in a rapid land and expand attack. Precision blitzkrieg ransomware attacks are the new TTPs of groups like Warlock in 2025 going forward.
