Ransomware Intelligence

warlock

Ransomware group profile

57Victims
ChinaSource country
87Impact score
Also Known As
Storm-2603

Description

Warlock is a financially motivated ransomware group that emerged in June 2025, primarily operating under a Ransomware-as-a-Service model. Notably, it exploits vulnerabilities in Microsoft SharePoint for initial access and has shown rapid evolution in tactics to enhance its post-exploitation activities.

Key insights

  • Warlock leverages unpatched Microsoft SharePoint vulnerabilities for initial access, particularly exploiting the ToolShell vulnerability chain.
  • The group uses its proprietary ransomware with a distinctive .x2anylock file extension, often combined with data exfiltration efforts.
  • Warlock employs a double extortion strategy, threatening to leak stolen data publicly alongside file encryption.
  • The group utilizes advanced tactics for evasion, such as deploying vulnerable third-party drivers and executing custom malware.
  • Ties to Storm-2603 and possible connection with the Black Basta group suggest a broad network of cybercriminal activity.
  • Warlock targets a range of sectors including healthcare, finance, and public administration with significant impacts on these industries.

Threat Level & Status Breakdown

For warlock · Based on incidents in selected period

1.9threat level
Aggressiveness5/ 10
Lethality0/ 10
Criticality0.6/ 10
First seenJul 2025
Last seenNov 2025
Avg ransom
Payment rate
Statusactive
Sophistication0
Last updatedJun 28, 2026

Recent activity

Monthly attack count for warlock in the selected period

57Total attacks
20peak in Aug
14.3avg / month
↑ 8 vs first month
JulAugSepNov05101520

Intelligence

IOCs, YARA/Sigma rules, and related families for warlock

  1. f0ac3999d4020cd051052a0627a2056d
  2. 12500f6c87ce62712a0ed6652c57468d15c14223
  3. 9ddae47ff968343a8c32a5344060257fdc08e2a7bdb9a227c8b3a584ee3c9f1e
  4. 468121e7d6952799f92940677268937c4c5f92ed
  5. b2398a81b5467f75f476a107027b3259
  6. 9b04a93e05ccff94667f04bffa7af600
  7. a11ee9cdc59e5caa59aefd27b30d104f3ad68e62
  8. b7703a59c39a0d2f7ef6422945aaeaaf061431af0533557246397551b8eed505
  9. db89ec570e6281934a5c5fcf7f4c8967
  10. ceec1a2df81905f68c7ebe986e378fec0805aebdc13de09a4033be48ba66da8b
  11. 54de95cc33834a2f877ba4842860af27
  12. 5aa3124e5c4921e5edfc60133b5d71da21b07da3
  13. 9e82ee5bde6b5d29281a3c280e6d1f2e
  14. 2e328297a4afd4ea2b482063e6a18ea3
  15. 244413ddc0430e3a50e9e69b9ee8c288
  16. 79bef5da8af21f97e8d4e609389c28e0646ef81a6944e329330c716e19f33c73
  17. 966743447745a30c93ffc1cf1e59ec58
  18. b16e217cdca19e00c1b68bdfb28ead53b20adeabd6edcd91542f9fbf48942877
  19. 75590850346c74a95d505ea3f8ff4a75
  20. edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef
  21. 6ee94f6bdc4c4ed0fff621fec36c70ff093659ed
  22. 7556ae58c215b8245a43f764f0676c7a8f0fdd1a
  23. 2d91a78e739891c9854c254f5b2a6b84c0e167dfa253466cbccd2cdd1c20145d
  24. b9c60c84be9bb503333e82f2e0b4024ce0d500c4
  25. f06fe1c3e882092a23002bed3e170da7b64e6b4475acdedea1433a874b10afdf
  26. c27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94
  27. 8f58da414ec4cdad2f6ac86c19e0a806886c63cfdf1fbbb5a0713dce8a0164c5
  28. 47ec51b5f0ede1e70bd66f3f0152f9eb536d534565dbb7fcc3a05f542dbe4428
  29. 0098c79e1404b4399bf0e686d88dbf052269a302
  30. ba914fe77b177b45799403b16dd14765c510a074
  31. 39300863bcaad71e5d4efc9a1cae118440aa778f
  32. bc65ed919988c8e4b8f5a1cd371745456601700a
  33. 5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4
  34. 534bd6b99ed0e40ccbefad1656f03cc56dd9cc3f6d990cd7cb87af4cceebe144
  35. 3e2272b916da4be3c120d17490423230ab62c174
  36. 6bc8e3505d9f51368ddf323acb6abc49
  37. 61e3bda477c87c9bdae1fa57e46b1ed03543c1ae
  38. f0537cbb773ae12100b36731e7c39f5a9d852b14
  39. 983b4e6edd2b289dd1a389aed908861fd8f0bf7d8e82a916ebe6d4df8642ab54
  40. 6f71d33fba02f1a6f24a3bc9bf2342b6
  41. 4147a1c7084357463b35071eab6f4525a94476b40336ebbf8a4e54eb9b51917f
  42. 7883afb713379d375b35c26d40eca326e6f73286
  43. 7310d6399683ba3eb2f695a2071e0e45891d743b
  44. 929e3fdd3068057632b52ecdfd575ab389390c852b2f4e65dc32f20c87521600
  45. d605994fc72a2bb59b5cfb1624a1b9170eca73a2
  46. 5761bd63da03686fc480245da7bd1e9f
  47. 6d0cc6349a951f0b52394ad3436d1656ec5fba6a
  48. ea8c8f834523886b07d87e85e24f124391d69a738814a0f7c31132b6b712ed65
  49. ce1b9909cef820e5281618a7a0099a27a70643dc
  50. 6feb5361fd3abd3a7a733c30bfcc2b58fc774ac6aa91a468ce2e31dcffc9d4de
  51. 023d722cbbdd04e3db77de7e6e3cfeabcef21ba5b2f04c3f3a33691801dd45eb
  52. 36de8aae407b14bf910fb1a6b0e5604c7a5534eee2c2513e9d7742ef923ad665
  53. 1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192
  54. 2bae4487ccb7cb14ea48947725c452ac
  55. ef2c9ae07f024f306e8715e08b13c9c0da55a7a6
  56. 1b5e6b1f7c46aaaaaecc49352e0e41eb
  57. a9f37104d2d89051f34e1486bc6ebff44d147e67
  58. a768244ca664349a6d1af84a712083c0
  59. 40f64b91348bed955acf8551853b72a8
  60. 129eec0c999653e30a659f6a336c76d3b6ce810d459a7f860bacbc06fd556277
  61. b29f91a440527fb621d106a2048f6379fff3263c60aeda9c82ff8c1d5ae880a8
  62. 8f3caf8e9415da6a4cb732a9c3db4e5b
  63. cf4d74df17a91b4a36a2911b22afec5d8fa93a01
  64. 8ca7304846c69300237a8577fbeec2720ea9a4bd09cb7fe484a8d5efc79ad073
  65. 96f0dbf52aed0afd43e44500116b04b674f7358e
  66. 002573d80091f7f8167bcbda3a402b85fa915f19
  67. 68fec379f2ae76c3d2ce913f7be650cea1d06990
  68. 645149d51489f8f852442804c33f30bb7f7ebd0c
  69. 363dfaa9fc77ae1f899049428a86d17e
  70. 3aa3704e27708e81b289eb146cc31764
  71. 94f73b5dc06ba6705fcef3e759413a747049c2949a0c2e44afc03b2f9989cf73
  72. 07e9f0b8627a95960e79e930fb099e84
  73. 711ef221526997039e804a18db9647c91680bbe2
  74. 017933be6023795e944a2a373e74e2cc6885b5c9bc1554c437036250c20c3a7d
  75. dd475afd948cc22caa2a0f934d0aec52
  76. a48060443c8f6d3c5bb3c534bca442cc02b7308ebf7d35b2808c1f1300be99a4
  77. 95b46edaf566a13d118cb3452a65b024fddbcdcecfd9cfa61269239cf1909c13
  78. cf0da7f6450f09c8958e253bd606b83aa80558f2
  79. 95a6f6e79c1842cea3603df3209fddc12aeb4fc77d1c58a852f877b1eaa9c4c9
  80. 4a57083122710d51f247367afd813a740ac180a1
  81. 4ffa34bb3c9b3b9d59e567c98e373676
  82. 56bee9df5833a637f5c54d5911df98b0812fe643
  83. 257fed1516ae5fe1b63eae55389e8464f47172154297496e6f4ef13c19a26505
  84. d29670e684e40ddc89b47010c37cbc96737035b6
  85. 2d89fb7455ff3ebf6b965d8b1113857607f7fbda4c752ccb591dbc1dc14ba0da
  86. df6cb5199c272c491b3a7ac44df6c4c279d23f7c09daed758c831b26732a4851
View full IOC feed500 total

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for warlock

Other

T1486

T1486

T1490

T1490

T1021

T1021

T1562

T1562

T1080

T1080

T1078

T1078

T1547

T1547

T1059

T1059

T1021.001

T1021.001

T1203

T1203

T1053

T1053

T1083

T1083

Victims(57)

CompanyDomainCountryIndustryStatusDiscovered
atg.czatg.czCZ Czech RepublicTechnology
Unknown
8 months ago
tein.co.jptein.co.jpJP JapanTechnology
Unknown
8 months ago
bel.quadra.rubel.quadra.ruRU RussiaProfessional Services
Unknown
8 months ago
ippm.orgippm.orgGB United KingdomOther
Unknown
8 months ago
sf.walltopia.comsf.walltopia.comUS United StatesHospitality
Unknown
8 months ago
nartis.runartis.ruRU RussiaManufacturing
Unknown
8 months ago
alphasys.boalphasys.boBO BoliviaTechnology
Unknown
8 months ago
silanosn.localsilanosn.localIT ItalyManufacturing
Unknown
8 months ago
mnpease.camnpease.caCA CanadaFinancial Services
Unknown
8 months ago
mytune.memytune.meMY MalaysiaHospitality
Unknown
8 months ago
goldenline.comgoldenline.comPL PolandTechnology
Unknown
8 months ago
cybervector.co.ukcybervector.co.ukGB United KingdomTechnology
Unknown
8 months ago
bengineered.com.aubengineered.com.auAU AustraliaTechnology
Unknown
8 months ago
fabrity.localfabrity.localPL PolandTechnology
Unknown
8 months ago
metro.localmetro.localNA NamibiaRetail & E-Commerce
Unknown
8 months ago
miltech.localmiltech.localIS IcelandManufacturing
Unknown
8 months ago
energogroup.netenergogroup.netRU RussiaEnergy & Utilities
Unknown
8 months ago
siball.netsiball.netRU RussiaTechnology
Unknown
9 months ago
chroma.com.twchroma.com.twTW TaiwanTechnology
Unknown
10 months ago
ferus-smit.homeferus-smit.homeNL NetherlandsManufacturing
Unknown
10 months ago

Page 1 of 3