Cyber999 Advisories

1.0 Introduction
Recently, The Warlock ransomware group has been actively targeting organizations by exploiting unpatched Microsoft SharePoint servers and outdated Veeam software. By leveraging these vulnerabilities, attackers gain remote code execution and establish persistence through web shells, allowing them to perform reconnaissance and prepare for further malicious activities. This campaign, observed in 2025, highlights the importance of timely patching and proper system hardening to prevent ransomware attacks.

2.0 Impact
The successful exploitation of these vulnerabilities can result in severe operational and financial damage to affected organizations. Once compromised, attackers deploy the Warlock ransomware strain to encrypt critical business files, causing significant data loss. This leads to widespread operational disruption as systems and services become unavailable, resulting in costly downtime. In addition to encryption, the attackers often exfiltrate sensitive information for double extortion, increasing the risk of data breaches and reputational harm. With elevated privileges, the threat actors can move laterally across the network, compromising additional systems and expanding their control. These attacks ultimately lead to substantial financial losses, including potential ransom payments, legal liabilities, and the cost of recovery and remediation. This campaign underscores the urgent need for timely patching and hardening of critical systems to mitigate multi-stage ransomware attacks.

3.0 Affected System

• Unpatched Microsoft SharePoint (On-Premises)
• Outdated Veeam Backup & Replication (CVE-2023-27532)

4.0 Technical Description

4.1 Initial Exploitation
The Warlock ransomware group exploits critical vulnerabilities to gain initial access and execute arbitrary code. Key exploited vulnerabilities include Microsoft SharePoint deserialization flaws, allowing authentication bypass and remote code execution, and CVE-2023-27532 affecting Veeam Backup & Replication software, which facilitates lateral pivoting. Attackers send crafted HTTP POST requests to upload web shells, enabling remote control and reconnaissance.

4.2 Attack Chain Overview
The attack begins with exploitation of SharePoint and Veeam vulnerabilities, followed by web shell deployment for persistence and command execution. Attackers escalate privileges by abusing Group Policy Objects (GPOs) to create new GPOs, activate the guest account, and add it to the Administrators group. They use native Windows tools (e.g., cmd.exe, nltest, ipconfig, tasklist) for discovery.

• Credential Access
  The group employs Mimikatz for extracting plaintext passwords and dumps registry hives (SAM, SECURITY) using CrackMapExec. These credentials enable further compromise and lateral movement.
• Lateral Movement
  Warlock spreads across the network by propagating via SMB shares using binaries disguised as vmtools.exe. They also disable security tools through a malicious driver (googleApiUtil64.sys), guided by instructions in log.txt.
• Ransomware Deployment
  Once lateral movement is complete, the ransomware encrypts files with the extension .x2anylock and drops ransom notes in affected directories. Exfiltration of sensitive data occurs via Proton Drive using RClone, masquerading as TrendSecurity.exe. The attackers use DLL sideloading (e.g., MpCmdRun.exe, jcef_helper.exe) and deploy a tool (writenull.exe) to wipe disks, preventing recovery.

4.3 Ransomware Characteristics
The ransomware is a derivative of LockBit 3.0, inheriting its encryption efficiency and evasion mechanisms. It avoids encrypting whitelisted extensions, system directories, and certain system names to maintain stealth and ensure the system remains functional for the ransom demand process.

5.0 Indicator Of Compromise

6.0 Recommendation
CyberSecurity Malaysia urges users and organizations to review the security release, follow the Mitigation steps and apply the necessary updates. 

• Apply security patches immediately for Microsoft SharePoint and Veeam Backup software to prevent exploitation.
• Restrict Group Policy Object (GPO) modifications to authorized administrators only.
• Monitor for any unauthorized creation of new GPOs or activation of guest accounts.
• Harden SMB shares by disabling unnecessary access and enforcing strong authentication.
• Deploy endpoint detection and response (EDR/XDR) solutions to detect suspicious process executions, credential dumping tools, and abnormal remote access activity.
• Monitor for known indicators of compromise (IOCs), unusual RClone activity, and renamed or suspicious binaries.
• Maintain offline backups and regularly test recovery procedures to ensure data can be restored in case of ransomware or malicious deletion.

Kindly refer to the URL for more information :

• https://www.trendmicro.com/en_us/research/25/h/warlock-ransomware.html
• https://www.mycert.org.my/portal/advisory?id=MA-1367.072025
• https://www.mycert.org.my/portal/advisory?id=MA-1366.072025

Generally, we advise the users to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact Cyber999 Incident Response Team through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 08:30 -17.30 MYT 
Web: https://www.cybersecurity.my

7.0 References

• https://www.trendmicro.com/en_us/research/25/h/warlock-ransomware.html
• https://www.clearphish.ai/news/warlock-ransomware-sharepoint-attacks-2025
• https://nvd.nist.gov/vuln/detail/cve-2023-27532
• https://www.mycert.org.my/portal/advisory?id=MA-1367.072025
• https://www.mycert.org.my/portal/advisory?id=MA-1366.072025