Velociraptor leveraged in ransomware attacks

Oct. 10, 2025, 7:33 a.m.

Description

A ransomware attack involving the use of Velociraptor, an open-source digital forensics tool, has been linked to the threat actor Storm-2603. The attackers deployed Warlock, LockBit, and Babuk ransomware to encrypt virtual machines and servers. They exploited a vulnerability in an outdated version of Velociraptor for privilege escalation and persistence. The campaign involved disabling security measures, modifying Group Policy Objects, and using PowerShell scripts for encryption and data exfiltration. The attack bears similarities to Storm-2603's tactics, including the use of multiple ransomware variants and specific techniques like manipulating IIS components and GPOs. The incident highlights the growing trend of threat actors utilizing commercial and open-source tools in their operations.

External References

https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-attacks/
https://otx.alienvault.com/pulse/68e8167610c7ac8e1bf687ac
Tags
ransomware
windows
privilege-escalation
lockbit
data-exfiltration
babuk
vmware
warlock
2025-10-09
CVE-2025-6264
velociraptor
open-source-tools

Date

  • Created: Oct. 9, 2025, 8:09 p.m.
  • Published: Oct. 9, 2025, 8:09 p.m.
  • Modified: Oct. 10, 2025, 7:33 a.m.

Indicators

  • 649bdaa38e60ede6d140bd54ca5412f1091186a803d3905465219053393f6421
  • a29125333ad72138d299cc9ef09718ddb417c3485f6b8fe05ba88a08bb0e5023
  • 12f177290a299bae8a363f47775fb99f305bbdd56bbdfddb39595b43112f9fb7
  • c74897b1e986e2876873abb3b5069bf1b103667f7f0e6b4581fbda3fd647a74a
  • 65.38.121.226
Download all indicators here!

Attack Patterns

  • Warlock
  • Vasa Locker
  • Babyk
  • Babuk - S0638
  • LockBit
  • Storm-2603

Linked vulnerabilities

CVE-2025-6264

None
Published: