Redazione RHC : 23 September 2025 10:07
The Warlock group, also known as Storm-2603 and GOLD SALEM , has gone from being a newcomer to a major player in the ransomware market in just a few months. Sophos researchers report that the group began its activity in March 2025 and that by September it had already created its own data leak portal, “Warlock Client Data Leak Show,” where 60 victims were published. The attackers operate worldwide, targeting small government agencies and commercial companies as well as multinational corporations in North and South America and Europe.
Warlock received particular attention after the August incidents: the criminals boasted of having compromised the French company Orange and the British company Colt . In the latter case, they claimed to have stolen a million documents and even announced an auction for the archive.
The same resource later listed Star Alliance among its victims, although there was no official confirmation from the organization, and the post itself was accompanied by a note about the sale of the stolen dataset . Unlike other ransomware groups, Warlock does not publish attack dates and rarely shows examples of stolen material, limiting itself to laconic notes about the ransom status or a link to an archive.
Warlock’s negotiating style is clearly harsh: on their website, they accuse organizations of irresponsibility and promise to release data if they refuse to contact them. At the same time, for large companies holding extremely sensitive information, they declare that the full extent of the stolen data will not be made public. This approach allows the group to simultaneously undermine the victim’s reputation and maintain the interest of black market buyers.
The Sophos report places particular emphasis on attack techniques. Warlock first appeared publicly in June on a hacker forum, where a representative of the group was searching for exploits for enterprise applications like Veeam, ESXi, and SharePoint , as well as tools to bypass EDR systems.
In July, Microsoft had already detected that the group was using a new zero-day vulnerability on on-premises SharePoint servers.
The exploit was initially distributed by the Chinese group Salt Typhoon on July 18, but a problematic update left tens of thousands of systems vulnerable, including government servers. Warlock took advantage of the situation and deployed its own ToolShell chain to install a web shell and achieve network persistence via a custom WebSocket-based Golang server.
Furthermore, attackers actively combine proven methods: they use Mimikatz to steal credentials, PsExec and Impacket for lateral movement, and they distribute ransomware across the network via group policies. For covert traffic, they use legitimate tools, particularly Velociraptor . This combination makes their attacks flexible and difficult to detect. Sophos emphasizes that this mix of standard techniques and targeted innovations demonstrates the authors’ high level of preparation and courage.
Warlock quickly became one of the top 20 most active ransomware operations of the past year. Experts estimate that further pressure on corporate infrastructures is unlikely to be stopped without aggressive measures from security operators.
To mitigate risks, experts advise organizations to pay greater attention to monitoring the attack surface, promptly patching public services, and maintaining readiness for rapid incident response. Sophos emphasizes that understanding Warlock tactics is essential to strengthening defenses before the group selects a new target.
Redazione