warlock
Ransomware group profile
59Victims
ChinaSource country
86Impact score
Also Known As
Storm-2603
Description
Warlock is a financially motivated ransomware group that emerged in June 2025, primarily operating under a Ransomware-as-a-Service model. Notably, it exploits vulnerabilities in Microsoft SharePoint for initial access and has shown rapid evolution in tactics to enhance its post-exploitation activities.
Key insights
- •Warlock leverages unpatched Microsoft SharePoint vulnerabilities for initial access, particularly exploiting the ToolShell vulnerability chain.
- •The group uses its proprietary ransomware with a distinctive .x2anylock file extension, often combined with data exfiltration efforts.
- •Warlock employs a double extortion strategy, threatening to leak stolen data publicly alongside file encryption.
- •The group utilizes advanced tactics for evasion, such as deploying vulnerable third-party drivers and executing custom malware.
- •Ties to Storm-2603 and possible connection with the Black Basta group suggest a broad network of cybercriminal activity.
- •Warlock targets a range of sectors including healthcare, finance, and public administration with significant impacts on these industries.
Threat Level & Status Breakdown
For warlock · Based on incidents in selected period
1.9threat level
Aggressiveness5/ 10
Lethality0/ 10
Criticality0.6/ 10
First seenJun 2025
Last seenNov 2025
Avg ransom—
Payment rate—
Statusactive
Sophistication0
Last updatedJun 18, 2026
Recent activity
Monthly attack count for warlock in the selected period
59Total attacks
20peak in Aug
11.8avg / month
↑ 15 vs first month
Intelligence
IOCs, YARA/Sigma rules, and related families for warlock
- f0ac3999d4020cd051052a0627a2056d
- 468121e7d6952799f92940677268937c4c5f92ed
- b2398a81b5467f75f476a107027b3259
- 9b04a93e05ccff94667f04bffa7af600
- b7703a59c39a0d2f7ef6422945aaeaaf061431af0533557246397551b8eed505
- db89ec570e6281934a5c5fcf7f4c8967
- ceec1a2df81905f68c7ebe986e378fec0805aebdc13de09a4033be48ba66da8b
- 54de95cc33834a2f877ba4842860af27
- 9e82ee5bde6b5d29281a3c280e6d1f2e
- 2e328297a4afd4ea2b482063e6a18ea3
- 244413ddc0430e3a50e9e69b9ee8c288
- 79bef5da8af21f97e8d4e609389c28e0646ef81a6944e329330c716e19f33c73
- b16e217cdca19e00c1b68bdfb28ead53b20adeabd6edcd91542f9fbf48942877
- edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef
- 6ee94f6bdc4c4ed0fff621fec36c70ff093659ed
- b9c60c84be9bb503333e82f2e0b4024ce0d500c4
- f06fe1c3e882092a23002bed3e170da7b64e6b4475acdedea1433a874b10afdf
- c27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94
- 8f58da414ec4cdad2f6ac86c19e0a806886c63cfdf1fbbb5a0713dce8a0164c5
- 47ec51b5f0ede1e70bd66f3f0152f9eb536d534565dbb7fcc3a05f542dbe4428
- 0098c79e1404b4399bf0e686d88dbf052269a302
- 39300863bcaad71e5d4efc9a1cae118440aa778f
- bc65ed919988c8e4b8f5a1cd371745456601700a
- 5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4
- 3e2272b916da4be3c120d17490423230ab62c174
- 6bc8e3505d9f51368ddf323acb6abc49
- 78cd87dfa9ba0f9b533310ca98b54489
- 61e3bda477c87c9bdae1fa57e46b1ed03543c1ae
- 7cbe4243c09f299b2dbfdc10f63846541367dcef
- 983b4e6edd2b289dd1a389aed908861fd8f0bf7d8e82a916ebe6d4df8642ab54
- 6f71d33fba02f1a6f24a3bc9bf2342b6
- 4147a1c7084357463b35071eab6f4525a94476b40336ebbf8a4e54eb9b51917f
- 7883afb713379d375b35c26d40eca326e6f73286
- 7310d6399683ba3eb2f695a2071e0e45891d743b
- 929e3fdd3068057632b52ecdfd575ab389390c852b2f4e65dc32f20c87521600
- 6d0cc6349a951f0b52394ad3436d1656ec5fba6a
- ea8c8f834523886b07d87e85e24f124391d69a738814a0f7c31132b6b712ed65
- ce1b9909cef820e5281618a7a0099a27a70643dc
- 6feb5361fd3abd3a7a733c30bfcc2b58fc774ac6aa91a468ce2e31dcffc9d4de
- 023d722cbbdd04e3db77de7e6e3cfeabcef21ba5b2f04c3f3a33691801dd45eb
- 1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192
- 2bae4487ccb7cb14ea48947725c452ac
- ef2c9ae07f024f306e8715e08b13c9c0da55a7a6
- 1b5e6b1f7c46aaaaaecc49352e0e41eb
- a9f37104d2d89051f34e1486bc6ebff44d147e67
- a768244ca664349a6d1af84a712083c0
- 129eec0c999653e30a659f6a336c76d3b6ce810d459a7f860bacbc06fd556277
- 8f3caf8e9415da6a4cb732a9c3db4e5b
- 8ca7304846c69300237a8577fbeec2720ea9a4bd09cb7fe484a8d5efc79ad073
- 002573d80091f7f8167bcbda3a402b85fa915f19
- 363dfaa9fc77ae1f899049428a86d17e
- 3aa3704e27708e81b289eb146cc31764
- 94f73b5dc06ba6705fcef3e759413a747049c2949a0c2e44afc03b2f9989cf73
- 017933be6023795e944a2a373e74e2cc6885b5c9bc1554c437036250c20c3a7d
- dd475afd948cc22caa2a0f934d0aec52
- cf0da7f6450f09c8958e253bd606b83aa80558f2
- 95a6f6e79c1842cea3603df3209fddc12aeb4fc77d1c58a852f877b1eaa9c4c9
- 4a57083122710d51f247367afd813a740ac180a1
- 4ffa34bb3c9b3b9d59e567c98e373676
- 257fed1516ae5fe1b63eae55389e8464f47172154297496e6f4ef13c19a26505
- 2d89fb7455ff3ebf6b965d8b1113857607f7fbda4c752ccb591dbc1dc14ba0da
- df6cb5199c272c491b3a7ac44df6c4c279d23f7c09daed758c831b26732a4851
- 80961850786d6531f075b8a6f9a756ad
- 82ed942a52cdcf120a8919730e00ba37619661a3
- 67d17ca90880b448d5c3b40f69cec04d3649f170
- c3804d1329b55a37bfa2f835e1e9bbc7bdb2b260f8e3627c06e02c9f52685d44
- c881f43c7fe94a6f056a84da8e9a32fe56d8dd9c
- 127b50c8185986a52ae66bf6e7e67a6fd787c4fc
- cf7cad39407d8cd93135be42b6bd258f
TTPs & Attack Vectors
Tools, initial access, and MITRE ATT&CK techniques for warlock
Other
T1486
T1486
T1490
T1490
T1021
T1021
T1562
T1562
T1080
T1080
T1078
T1078
T1547
T1547
T1059
T1059
T1021.001
T1021.001
T1203
T1203
T1053
T1053
T1083
T1083
Victims(59)
| Company | Domain | Country | Industry | Status | Discovered | |
|---|---|---|---|---|---|---|
| atg.cz | atg.cz | CZ Czech Republic | Technology | Unknown | 8 months ago | |
| tein.co.jp | tein.co.jp | JP Japan | Technology | Unknown | 8 months ago | |
| bel.quadra.ru | bel.quadra.ru | RU Russia | Professional Services | Unknown | 8 months ago | |
| ippm.org | ippm.org | GB United Kingdom | Other | Unknown | 8 months ago | |
| sf.walltopia.com | sf.walltopia.com | US United States | Hospitality | Unknown | 8 months ago | |
| nartis.ru | nartis.ru | RU Russia | Manufacturing | Unknown | 8 months ago | |
| alphasys.bo | alphasys.bo | BO Bolivia | Technology | Unknown | 8 months ago | |
| silanosn.local | silanosn.local | IT Italy | Manufacturing | Unknown | 8 months ago | |
| cybervector.co.uk | cybervector.co.uk | GB United Kingdom | Technology | Unknown | 8 months ago | |
| fabrity.local | fabrity.local | PL Poland | Technology | Unknown | 8 months ago | |
| goldenline.com | goldenline.com | PL Poland | Technology | Unknown | 8 months ago | |
| mytune.me | mytune.me | MY Malaysia | Hospitality | Unknown | 8 months ago | |
| miltech.local | miltech.local | IS Iceland | Manufacturing | Unknown | 8 months ago | |
| bengineered.com.au | bengineered.com.au | AU Australia | Technology | Unknown | 8 months ago | |
| mnpease.ca | mnpease.ca | CA Canada | Financial Services | Unknown | 8 months ago | |
| metro.local | metro.local | NA Namibia | Retail & E-Commerce | Unknown | 8 months ago | |
| energogroup.net | energogroup.net | RU Russia | Energy & Utilities | Unknown | 8 months ago | |
| siball.net | siball.net | RU Russia | Technology | Unknown | 9 months ago | |
| chroma.com.tw | chroma.com.tw | TW Taiwan | Technology | Unknown | 9 months ago | |
| ferus-smit.home | ferus-smit.home | NL Netherlands | Manufacturing | Unknown | 9 months ago |
Page 1 of 3
Affected countries(40)
Countries where this group has been reported to target or leak victims.
🇦🇪United Arab Emirates🇦🇷Argentina🇦🇹Austria🇦🇺Australia🇧🇬BulgariaBermudaBolivia, Plurinational State of🇧🇷Brazil🇨🇦Canada🇨🇳China🇨🇿Czech Republic🇩🇪Germany🇩🇰Denmark🇪🇨Ecuador🇪🇸Spain🇫🇮Finland🇫🇷France🇬🇧United Kingdom🇭🇰Hong Kong🇭🇷Croatia🇮🇩Indonesia🇮🇪Ireland🇮🇳IndiaIran, Islamic Republic of🇮🇹Italy🇯🇴Jordan🇯🇵Japan🇲🇺Mauritius🇲🇾Malaysia🇳🇱Netherlands🇵🇭Philippines🇵🇰Pakistan🇵🇱Poland🇵🇹PortugalRussian Federation🇸🇦Saudi Arabia🇹🇷TurkeyTaiwan, Province of China🇺🇸United States🇿🇦South Africa