Analysis Summary

The Warlock ransomware group emerged in June 2025 on the Russian-language RAMP forum with a bold advertisement, quickly establishing itself as a notable threat actor. Operating under a ransomware-as-a-service (RaaS) model, Warlock provides affiliates with a ransomware builder, management tools, and leak sites, enabling rapid adoption and widespread attacks.

Within weeks of its debut, the group claimed multiple victims across government, financial, manufacturing, and technology sectors, with incidents spanning North America, Europe, Asia, and Africa. Affiliates such as Storm-2603, suspected to be linked to Chinese operations, have leveraged vulnerabilities like the ToolShell chain in Microsoft SharePoint servers to deliver Warlock payloads.

A common entry vector for Warlock involves exploiting unpatched, internet-facing SharePoint servers, allowing threat actors to gain remote code execution and establish persistence. Following initial compromise, attackers escalate privileges by modifying group policies, enabling guest accounts, and deploying tools such as PsExec for lateral movement. Defense evasion tactics include the use of custom executables like “Antivirus Terminator” and Trojanized binaries such as vmtools.exe designed to disable endpoint protection. In some cases, vulnerable third-party drivers like ServiceMouse.sys have been abused to facilitate process termination.

The attack lifecycle typically involves reconnaissance, credential theft via tools such as Mimikatz, and system discovery commands. Lateral movement is achieved through SMB shares, remote desktop manipulation, and administrative shares, while persistence is maintained using renamed binaries and tunneling via Cloudflare tools. Data exfiltration often relies on legitimate software disguised as benign executables, such as RClone masquerading as TrendSecurity.exe, configured to transfer large volumes of sensitive data to attacker-controlled cloud storage.

The final stage of attacks deploys the Warlock ransomware binary, which is linked to the AK47 project. The malware incorporates safety checks, process termination routines, and selective targeting, excluding certain files, directories, and extensions. Encrypted files are appended with the .x2anylock extension, and ransom notes are dropped in plaintext.

Analysis indicates that Warlock is a customized variant of LockBit 3.0, leveraging leaked builders to create a new strain. Its rapid evolution, global reach, and sophisticated toolset demonstrate how quickly modern ransomware groups adapt enterprise vulnerabilities into impactful extortion campaigns.