The Warlock ransomware group, already linked to an outbreak of Microsoft SharePoint attacks this July, has been stepping up its attacks in recent weeks – and with a twist of ingenuity, Sophos researchers say.
The threat actor, dubbed Storm 2603 by Microsoft and known for deploying its own signature WarLock ransomware variant, is now officially being tracked by Sophos’ Counter Threat Unit Research Team under the name GOLD SALEM.
“The emerging group demonstrates competent tradecraft using a familiar ransomware playbook and hints of ingenuity,” Sophos describes the suspected Beijing-backed newcomers.
Not long on the ransomware scene, the group began “attacking and extorting victims” as early as March 2025, a new Sophos intelligence report released earlier this week shows.
Sophos researchers note that in September alone, the “fast-emerging ransomware operation” has already claimed 60 victims on its “Warlock Client Data Leak Show” onion site.
The group is said to target victims ranging from "small commercial or government entities to large multinational corporations spread throughout North America, Europe, and South America."
Warlock hit two telecoms in August
Although many of the posted victims are lesser-known companies, in August, the ransomware cartel was able to infiltrate two major telecommunication giants, France’s multinational digital service provider Orange and the UK-based Colt.
Warlock boasted on its leak site that it had stolen a whopping 1 million documents from Colt, and states “The full set of files needs to be purchased separately,” with an “Auction in progress.”
The aviation industry’s global Star Alliance airlines group was also claimed on the Warlock leak site around the same timeframe, but the company has not come forward, either to confirm or deny an attack.
"The data has been purchased by other buyers," the group wrote in the Star Alliance post, under the word "Published."
Additionally, Cybernews can confirm the Warlock leak site does not provide as many details about its attack victims as other ransomware groups, omitting a "posted on" date, visual samples, and, only randomly, will it post the amount of stolen data it possesses for each victim.
Instead, the group provides a small note under each post, indicating if the data has been published, sold, or if “the customer” has refused to pay its undisclosed ransom demand, and in some cases, supplies a link to the actual data.
“We strongly condemn irresponsible companies,” Warlock states in its FAQ section, adding, “Due to some clients not contacting us, we have chosen to publicly release their data, available for free download by anyone.”
Apparently, for big deal clients “that are very large enterprises with highly sensitive data,” Warlock says the stolen information “will not be fully disclosed.”
Warlock's out of the box TTPs
Sophos research says the group was not publicly active until a random post in June on Ramp, a well-known underground Russian cybercriminal forum.
The alleged Warlock representative was said to be soliciting exploits for applications commonly used by large enterprises, including Veeam, ESXi, and SharePoint, as well as other endpoint detection and response (EDR) system disruption tools.
In late July, Microsoft reported it observed several Chinese nation-state attackers deploying Warlock ransomware to take advantage of a zero-day flaw affecting on-premise SharePoint servers used by thousands of enterprises worldwide.
The SharePoint zero-day flaw was initially exploited on July 18th by the China-backed Salt Typhoon. Although only about 100 organizations were targeted at the time, Microsoft estimated that another 10,000 more on-site servers were left exposed due to a failed patch release, many in the government sector.
“Warlock’s operations reflect both competence and boldness,” Sohpos says.
Curious what others think about this story? Contribute your thoughts to the debate below.
The security firm points out that since June, the group has not only “exploited SharePoint vulnerabilities with a custom ToolShell chain, dropping web shells and using a Golang-based WebSockets server for persistence,” but has also “abused legitimate tools, including Velociraptor, for covert tunneling.”
The research additionally finds that Warlock has taken advantage of other already successfully deployed “tried-and-true techniques, such as Mimikatz for credential theft, PsExec/Impacket for lateral movement, and GPOs to push ransomware payloads.”
To reduce the risk of attacks, the research team urges organizations to engage in regular attack surface monitoring and have aggressive patching policies for internet-facing services, as well as ensure that proactive endpoint monitoring and timely incident response are in place in case of a hit.
Considered by Sophos to be among the top 20 most prolific ransomware actors in the past 12 months, the British-based cybersecurity company says, “Awareness of how groups like Warlock operate is critical for businesses aiming to shore up defenses before they’re targeted."
Your email address will not be published. Required fields are markedmarked