Velociraptor leveraged in ransomware attacks

SUMMARY :

Ransomware operators are using Velociraptor, an open-source digital forensics tool, in their attacks. The activity is attributed to Storm-2603, a China-based threat actor. The attackers deployed Warlock, LockBit, and Babuk ransomware to encrypt VMware ESXi VMs and Windows servers. They installed an outdated version of Velociraptor vulnerable to privilege escalation. The actors modified Active Directory GPOs to impair defenses, deployed a fileless PowerShell encryption script, and exfiltrated data. The campaign involved creating admin accounts, accessing VMware vSphere, and using Smbexec for remote program execution. Mitigation recommendations include following ransomware safeguards and patching ToolShell vulnerabilities.

OPENCTI LABELS :

ransomware,windows,lockbit,privilege-escalation,data-exfiltration,babuk,vmware,warlock,cve-2025-6264,velociraptor


AI COMMENTARY :

1. Introduction to Velociraptor Exploitation Velociraptor has gained prominence as an open source digital forensics and incident response platform, prized for its ability to collect detailed endpoint data across Windows environments and virtual infrastructures. Threat actors have now recognized the same capabilities that defenders admire and repurposed them for malicious activity. The recent campaign attributed to Storm-2603 demonstrates how adversaries can leverage legitimate tools to evade detection, escalate privileges, and carry out ransomware operations at scale.

2. Unveiling the Storm-2603 Campaign Security analysts tracing the intrusion chain identified Storm-2603, a China-based threat actor, deploying an outdated version of Velociraptor prone to privilege-escalation vulnerabilities, specifically CVE-2025-6264. By exploiting this flaw, the attackers obtained SYSTEM-level access on compromised hosts. From there, they manipulated Active Directory Group Policy Objects to weaken defense mechanisms and ensure persistent control over both Windows servers and VMware ESXi hypervisors.

3. Ransomware Variants and Victimology Once elevated privileges were secured, Storm-2603 operators introduced a trio of ransomware strains—Warlock, LockBit, and Babuk—to encrypt critical assets. They targeted VMware ESXi virtual machines, effectively halting multiple tenant virtual servers in a single strike, and then moved laterally to Windows file servers. The combined use of these ransomware families illustrates the threat actor’s versatility and their intent to maximize operational impact.

4. Tactics for Stealth and Data Exfiltration The adversaries employed a fileless PowerShell encryption script to dodge traditional antivirus and endpoint detection tools. To facilitate remote execution without dropping additional binaries, they used Smbexec against domain-joined systems. In parallel, Storm-2603 created clandestine administrative accounts and accessed VMware vSphere interfaces to extract virtual machine snapshots and configuration files. Data-exfiltration pipelines were built to siphon sensitive information before encryption, ensuring maximum leverage for extortion.

5. Impact on Virtualized and Windows Environments The campaign’s dual focus on VMware and Windows platforms highlights a growing trend in ransomware operations: targeting virtualization layers to multiply damage. Organizations running ESXi clusters experienced prolonged downtime across dozens of virtual machines, while Windows servers lost critical business data. The attackers’ use of privilege-escalation, GPO manipulation, and fileless techniques underscores the importance of layered defenses and behavioral monitoring.

6. Mitigation Strategies and Defense Recommendations Organizations should prioritize patching the CVE-2025-6264 vulnerability in Velociraptor and any associated ToolShell components. Ransomware safeguards such as network segmentation, principle of least privilege, and regular backup verification remain essential. Harden Active Directory by auditing Group Policy changes and removing obsolete administrative accounts. Deploy endpoint detection rules tuned to PowerShell abuse and monitor for anomalous Smbexec usage. Finally, consider implementing strict access controls around VMware vSphere management interfaces to prevent unauthorized snapshot retrieval and virtual machine manipulation.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Velociraptor leveraged in ransomware attacks