Warlock Ransomware: Old Actor, New Tricks?

SUMMARY :

The Warlock ransomware, first appearing in June 2025, is linked to a China-based actor with a history dating back to 2019. It gained prominence by exploiting the ToolShell vulnerability in Microsoft SharePoint. The group, known as Storm-2603, uses multiple ransomware payloads and a custom C&C framework called ak47c2. Warlock is likely a rebrand of the older Anylock ransomware and may have connections to the retired Black Basta operation. The actors behind Warlock have been involved in diverse activities, including espionage and cybercrime, suggesting they may be contractors. Their toolset includes defense evasion tools and the use of stolen digital certificates, linking them to earlier attacks by groups like CamoFei and ChamelGang.

OPENCTI LABELS :

espionage,ransomware,lockbit,warlock,anylock


AI COMMENTARY :

1. The Warlock ransomware campaign emerged in June 2025, abruptly capturing the attention of security analysts and incident responders. What distinguishes Warlock is its seamless exploitation of the ToolShell vulnerability in Microsoft SharePoint, enabling attackers to gain unfettered access to corporate networks. This campaign is attributed to a China-based actor known in the threat intelligence community as Storm-2603, and it carries echoes of previous high-profile operations such as LockBit and Black Basta, underscoring its potency in the evolving ransomware landscape.

2. Tracing its lineage back to 2019, the group behind Warlock is believed to have originally operated under the Anylock banner. Over time, this collective honed its toolkit and infrastructure, culminating in a rebranding effort that introduced Warlock as its flagship ransomware. The shift was not merely cosmetic; it reflected upgrades in payload modularity, encryption algorithms, and a custom command and control (C&C) framework dubbed ak47c2. Researchers have noted that the new payloads are more resilient to automated detection and feature advanced defense evasion techniques that mirror those used by espionage outfits.

3. Technical analysis of the Warlock malware reveals a multi-stage infection process. Initial access is gained via the ToolShell exploit, followed by the deployment of lightweight reconnaissance modules that map network shares and privilege levels. Once the environment is fully understood, the ransomware payload is executed in memory, minimizing disk artifacts. The actors also leverage stolen digital certificates to sign their binaries, a tactic previously employed by groups such as CamoFei and ChamelGang, which adds an additional layer of legitimacy to their malicious traffic.

4. The overlap between Warlock and earlier operations like Anylock and the now-retired Black Basta suggests potential personnel or infrastructure sharing. Indicators point to the same encryption schemes and victim selection methodology, which focused on mid- to large-sized enterprises. The reused code and overlapping IP addresses hint at an evolutionary path rather than a completely new entrant, making Warlock a textbook case of threat actor rebranding used to evade law enforcement and security vendor blacklists.

5. Beyond pure financial gain, the Storm-2603 group has conducted espionage missions, indicating a dual purpose to their activities. Their campaign arsenal includes data exfiltration tools, web shells, remote access Trojans, and backdoors—typical hallmarks of contractors hired to carry out intelligence collection. This blending of ransomware and espionage further complicates attribution and response, as defenders must anticipate both extortion demands and potential leaks of sensitive corporate data.

6. For organizations seeking to defend against Warlock and similar threats, proactive patch management to eliminate vulnerabilities like ToolShell is paramount. Network segmentation, continuous monitoring for anomalous C&C communications, and robust incident response playbooks tailored for advanced ransomware are critical. Threat intelligence teams should also track the evolving IOCs associated with Storm-2603, Anylock, and related espionage-oriented groups to stay one step ahead of these adaptable adversaries.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Warlock Ransomware: Old Actor, New Tricks?