Velociraptor leveraged in ransomware attacks

SUMMARY :

A ransomware attack involving the use of Velociraptor, an open-source digital forensics tool, has been linked to the threat actor Storm-2603. The attackers deployed Warlock, LockBit, and Babuk ransomware to encrypt virtual machines and servers. They exploited a vulnerability in an outdated version of Velociraptor for privilege escalation and persistence. The campaign involved disabling security measures, modifying Group Policy Objects, and using PowerShell scripts for encryption and data exfiltration. The attack bears similarities to Storm-2603's tactics, including the use of multiple ransomware variants and specific techniques like manipulating IIS components and GPOs. The incident highlights the growing trend of threat actors utilizing commercial and open-source tools in their operations.

OPENCTI LABELS :

ransomware,lockbit,data-exfiltration,cve-2025-6264,velociraptor,open-source-tools


AI COMMENTARY :

1. Security analysts have identified a sophisticated campaign in which Storm-2603 leveraged Velociraptor, an open-source digital forensics tool, as the cornerstone of a high-impact ransomware operation. The campaign demonstrates how threat actors can repurpose legitimate open-source-tools to blend into normal administrative activity while preparing for encryption and data theft.

2. The intrusion chain initiates with the exploitation of CVE-2025-6264 in an outdated Velociraptor deployment. This vulnerability allowed the attackers to obtain SYSTEM-level privileges on targeted virtual machines and servers. With elevated access, the adversaries disabled security services, altered firewall configurations, and inserted malicious modules into critical system processes.

3. Following privilege escalation, the threat actors manipulated Group Policy Objects to enforce malicious scripts at the domain level. PowerShell scripts were deployed to harvest credentials and extract sensitive data, enabling extensive data-exfiltration operations. Logs were systematically cleared to hamper forensic investigations and extend the dwell time in compromised networks.

4. The attackers then unleashed a triad of ransomware variants—Warlock, LockBit, and Babuk—to encrypt files across virtual machines and on-premises servers. The use of multiple ransomware strains complicated detection and response, as each variant exhibited distinct encryption algorithms and ransom note formats. The inclusion of LockBit in this arsenal underlines the growing influence of established ransomware-as-a-service models in advanced attacks.

5. The Storm-2603 campaign underscores a broader shift in adversary tactics toward integrating commercial and open-source-tools into their arsenals. By repurposing Velociraptor for illicit use, the threat actors demonstrated how legitimate digital forensics frameworks can be weaponized for stealthy reconnaissance, lateral movement, and persistence within target environments.

6. This incident highlights the critical need for continuous vulnerability management and patching practices, especially for widely adopted tools like Velociraptor. Organizations must monitor for anomalous usage patterns of system administration utilities and enforce strict access controls to prevent unauthorized privilege escalation and misuse.

7. In response to this evolving threat landscape, security teams should adopt a layered defense strategy that combines endpoint detection and response, network segmentation, and regular threat-hunting exercises. Proactive threat intelligence sharing and collaboration can help the community stay ahead of tactics like those employed by Storm-2603 and mitigate the risk of future ransomware outbreaks.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Velociraptor leveraged in ransomware attacks