A newly aggressive ransomware group, Warlock, is exploiting a critical Microsoft SharePoint vulnerability dubbed ToolShell to compromise organizations worldwide, according to a report by Trend Micro.
Trend Micro researchers revealed that the attackers leveraged authentication and deserialization flaws within SharePoint ToolShell to gain unauthorized access and deploy ransomware payloads.
“By exploiting SharePoint’s authentication and deserialization flaws, attackers were able to rapidly gain code execution capabilities and escalated privileges, move laterally within the system, and deliver disruptive ransomware at scale,” researchers said in the report.
The campaign primarily targets organizations with unpatched servers, exploiting weak patch management practices.
Attackers initiate the intrusion by scanning for exposed SharePoint instances, exploit the vulnerability for initial access, execute PowerShell-based payloads, escalate privileges, exfiltrate sensitive data, and deploy ransomware. This multi-stage attack chain allows them to disrupt operations and extort victims.
Rapid Rise of Warlock
Warlock surfaced publicly in June 2025 on the Russian-language RAMP forum, promoting its ransomware-as-a-service operations with a bold message: “If you want a Lamborghini, please contact me.”
Within weeks, the group escalated its campaigns, targeting unpatched SharePoint servers across North America, Europe, Asia, and Africa.
On July 23, Microsoft confirmed that a China-based threat actor, tracked as Storm-2603, was distributing Warlock ransomware through exploited on-premises SharePoint servers.
This disclosure came days after the company warned customers of active exploitation chains linked to the ToolShell vulnerability.
Mitigation and Response
“To defend against Warlock ransomware and similar threats, organizations should promptly patch their on-premises SharePoint servers,” Trend Micro researchers advise.
“Organizations should actively monitor suspicious account activity or policy changes, restrict access to administrative shares, and promptly flag abnormal script or command executions. They should also detect and respond to attempts to disable security tools, block unauthorized service or driver installations, and identify signs of lateral movement, credential dumping, or unexpected RDP configuration changes,” researchers added.
“Continuous monitoring for protocol tunneling, command-and-control activity, and data exfiltration through renamed or disguised tools is essential.”
About Author
