Warlock Ransomware: Old Actor, New Tricks?

Oct. 24, 2025, 9:19 a.m.

Description

The Warlock ransomware, first appearing in June 2025, is linked to a China-based actor with a history dating back to 2019. It gained prominence by exploiting the ToolShell vulnerability in Microsoft SharePoint. The group, known as Storm-2603, uses multiple ransomware payloads and a custom C&C framework called ak47c2. Warlock is likely a rebrand of the older Anylock ransomware and may have connections to the retired Black Basta operation. The actors behind Warlock have been involved in diverse activities, including espionage and cybercrime, suggesting they may be contractors. Their toolset includes defense evasion tools and the use of stolen digital certificates, linking them to earlier attacks by groups like CamoFei and ChamelGang.

External References

https://www.security.com/threat-intelligence/warlock-ransomware-origins
https://otx.alienvault.com/pulse/68fa481ef76460d342e4d0c5
Tags
espionage
ransomware
lockbit
warlock
2025-10-23
anylock

Date

  • Created: Oct. 23, 2025, 3:22 p.m.
  • Published: Oct. 23, 2025, 3:22 p.m.
  • Modified: Oct. 24, 2025, 9:19 a.m.

Attack Patterns

  • Anylock
  • Warlock
  • CatB
  • LockBit
  • Storm-2603

Additional Informations

  • Engineering
  • Technology
  • Healthcare
  • Government
  • British Indian Ocean Territory
  • India
  • Taiwan
  • Japan
  • Brazil
  • United States of America
  • Russian Federation