Warlock ransomware attacks are rapidly increasing across multiple industries. The group has exploited unpatched Microsoft SharePoint servers to breach organisations worldwide. With both data theft and file encryption tactics, Warlock demonstrates the evolving danger of ransomware-as-a-service.
Warlock’s Attack Methods
Warlock, also known as Gold Salem or Storm-2603, appeared in 2025. The group operates a ransomware-as-a-service model and recruits affiliates through dark web forums. Attackers infiltrate networks using unpatched SharePoint vulnerabilities, including the ToolShell exploit chain. Once inside, they harvest credentials, deploy web shells, and move laterally using tools like PsExec and Impacket. After stealing sensitive data, they encrypt files and demand ransom, often attaching extensions such as “.x2anylock” to compromised files. Victims face added pressure through data leak sites.
Recent Victims and Sectors Targeted
Warlock has targeted telecommunications, government, finance, manufacturing, technology, and consumer services. High-profile victims include Colt Technology Services and Orange Belgium, both of which reported major data breaches. The group claims over 60 victims in 2025 across North America, Europe, South America, Asia, and Africa. Smaller companies face as much risk as large corporations, making this campaign unusually widespread.
Why Attacks Are Surging
Several factors explain the sharp increase in Warlock activity. Many organisations still run unpatched SharePoint servers despite Microsoft’s security updates. Affiliates use legitimate administrative tools that blend with normal network traffic, helping them evade detection. Warlock also benefits from quick adoption of zero-day vulnerabilities, allowing affiliates to strike before security teams respond. Finally, double extortion models continue to generate high profits, fuelling further campaigns.
Defence Strategies for Organisations
Organisations using Microsoft SharePoint must act quickly to reduce risk. Effective steps include:
- Patch all known SharePoint vulnerabilities without delay.
- Deploy endpoint detection and monitoring to block web shells and lateral movement.
- Enforce strict access controls and segment networks.
- Maintain secure, offline backups and test restore procedures frequently.
- Monitor threat intelligence sources for mentions of company data.
Conclusion
The surge in Warlock ransomware activity highlights the urgency of securing collaboration platforms like SharePoint. Threat actors continue to exploit gaps faster than many organisations can respond. Companies that fail to patch quickly expose themselves to operational damage, reputational loss, and regulatory fines. For investors, the trend underlines the importance of evaluating cybersecurity maturity when assessing business risk. For decision-makers, the path is clear: implement layered defences, monitor continuously, and prepare for inevitable attempts by groups like Warlock.
