|

Warlock Ransomware Is Exploiting SharePoint “ToolShell” — What Every Defender Needs to Know Now

ByInnoVirtuoso

If your organization runs SharePoint on‑prem, stop what you’re doing and check your patch status. A new ransomware crew, Warlock, is riding a SharePoint exploit chain dubbed “ToolShell” to hit victims across North America, Europe, Asia, and Africa—moving from initial access to full-blown ransomware and data theft in hours.

Here’s the headline: attackers are chaining authentication and deserialization flaws in Microsoft SharePoint to gain code execution, escalate privileges, move laterally, and deploy ransomware at scale. Trend Micro researchers say the group’s affiliates are leveraging a fast, efficient post-exploitation playbook that’s tough to catch if you’re not watching the right signals. Microsoft, for its part, warns that a China-based actor (tracked as Storm‑2603) has distributed Warlock ransomware on exploited on‑prem SharePoint servers.

Let me explain how this campaign works, why it’s spreading fast, and what to do right now to reduce your risk.

  • TL;DR: Patch SharePoint immediately, hunt for suspicious GPO changes and “guest” account manipulation, monitor for Rclone exfiltration and renamed Cloudflare tunnel binaries, and harden SMB/RDP exposure. I’ll give you a practical checklist below.

Also: yes, Warlock looks like a customized offspring of the leaked LockBit 3.0 builder—so expect speed, concurrency, and brutal process-killing behavior designed to break recovery.

Before we dive in, here are a few authoritative sources worth keeping handy: – Microsoft Security Response Center updates: MSRC Update Guide – CISA’s Known Exploited Vulnerabilities Catalog: CISA KEV – Trend Micro Research (ransomware analysis): Trend Micro Research – MITRE ATT&CK techniques referenced in this article: MITRE ATT&CK – CISA’s Stop Ransomware portal: StopRansomware.gov

What Is Warlock Ransomware? A Quick Primer

Warlock is a ransomware-as-a-service (RaaS) operation that burst onto the Russian-language RAMP forum in early June 2025 with a flashy pitch to affiliates: “If you want a Lamborghini, please contact me.” Showmanship aside, the group backed it up with activity. By mid‑2025, Warlock’s victim list spanned multiple regions and industries—from tech to critical infrastructure—according to leak site posts tracked by researchers.

Warlock affiliates follow a classic double-extortion model: – Steal data first. – Encrypt systems next. – Drop a ransom note (“How to decrypt my data.txt”) in affected directories. – Use pressure tactics by threatening to leak stolen data.

Trend Micro’s analysis suggests the encryptor is a customized derivative of the leaked LockBit 3.0 builder, which means operational maturity and tooling are already strong. For background, see reporting on the LockBit builder leak from 2022: LockBit 3.0 builder leaked.

What Is the SharePoint “ToolShell” Exploit Chain?

“ToolShell” refers to an exploit chain targeting on‑premises Microsoft SharePoint that combines: – An authentication weakness to bypass normal controls, and – A deserialization flaw to achieve remote code execution (RCE).

Attackers who land RCE on SharePoint servers get a high‑impact foothold inside the network. From there, Warlock affiliates are using well-practiced post-exploitation moves to escalate, persist, and spread.

Here’s why that matters: SharePoint servers are often trusted, under-monitored, and connected to sensitive data paths. Once compromised, they’re a springboard for lateral movement and domain‑wide impact.

For the latest vendor guidance and patches, consult Microsoft’s advisories: MSRC Update Guide. Also check if related CVEs are listed in CISA’s KEV catalog and prioritize those patches: CISA KEV.

Who’s at Risk?

  • Organizations running on‑premises SharePoint—especially those slow to patch.
  • Environments with broad SMB/RDP exposure and weak lateral movement controls.
  • Domains where GPO controls and account policies aren’t monitored closely.
  • Teams without behavior‑based EDR on servers or without logging tuned for AD/GPO changes.

Warlock claimed an August 2025 attack on UK telecoms firm Colt Technology Services, and telemetry suggests global targeting across North America, Europe, Asia, and Africa. Cloud-first organizations aren’t immune, but on‑prem SharePoint is the current bullseye.

The Warlock Attack Chain: From SharePoint Exploit to Ransom

Trend Micro outlines a tight, repeatable sequence of steps Warlock affiliates use once they compromise SharePoint:

1) Initial Access and Execution – Exploit SharePoint’s authentication and deserialization flaws to gain RCE. – Stage a lightweight toolkit and establish command execution.

2) Privilege Escalation via GPO – Create or modify a Group Policy Object (GPO) at the domain level to grant broader control. – This can deploy scripts, push registry changes, and alter security configurations domain‑wide. – MITRE ATT&CK: T1484.001 – Domain Policy Modification

3) Misuse of Built‑In Accounts – Reactivate the built‑in “guest” account and change its password. – Add “guest” to local Administrators to gain stealthy admin rights on endpoints. – Audit clue: user enabled/disabled, password changes, and group membership events.

4) Defense Evasion and C2 – Kill security tools and vendor processes to blind defenders. MITRE: T1562 – Impair Defenses – Set up a stealthy command‑and‑control channel inside the network. – In at least one case, actors used a Cloudflare binary (renamed) to tunnel traffic and hide in normal outbound connectivity. Cloudflare’s tunneling client (“cloudflared”) is legitimate, which helps attackers blend in. Reference: Cloudflare Tunnel

5) Reconnaissance and Staging – Enumerate users, groups, network shares, and security context. – Map lateral movement paths and identify systems with valuable data or high privileges.

6) Lateral Movement – Use remote services—primarily SMB and sometimes RDP—to move tools and payloads. – Enable RDP by flipping the fDenyTSConnections registry value (Terminal Server) to 0. – Copy malicious binaries to public folders via administrative shares, then trigger execution. – MITRE: T1021.002 – SMB/Windows Admin Shares, T1021.001 – RDP

7) Mass Deployment and Encryption – Push the Warlock binary to multiple endpoints (Ingress Tool Transfer). MITRE: T1105 – Ingress Tool Transfer – Kill services and processes that could interrupt encryption or facilitate recovery. MITRE: T1489 – Service Stop – Encrypt files and drop “How to decrypt my data.txt” in impacted directories.

8) Data Exfiltration – Use Rclone, a legitimate sync tool, to exfiltrate data to cloud storage. – Disguise the binary under benign names (e.g., TrendSecurity.exe) and stash it in inconspicuous directories. – MITRE: T1567.002 – Exfiltration to Cloud Storage – Tool reference: rclone.org

This chain is efficient because it leans on: – Built‑in Windows features (GPO, Guest account, RDP), – Legitimate tools (Cloudflare tunnels, Rclone), – And noisy but short‑lived behavior (process killing) executed quickly.

Why This Campaign Is Different

Several factors make Warlock stand out:

  • Speed-to-impact: From SharePoint RCE to domain‑wide changes in a compressed timeline. That shortens the defender’s detection window.
  • Abuse of admin rails: GPO changes and the “guest” account are high-impact levers that often go unmonitored.
  • Living‑off‑the‑land: Using SMB, RDP, and renamed legitimate binaries helps bypass signature-based defenses.
  • Derivative of a mature builder: With LockBit 3.0 lineage, the encryptor and playbook are polished.
  • Affiliate-driven: RaaS programs scale through affiliates, increasing the number of simultaneous campaigns.

In other words, this is not spray‑and‑pray malware. It’s a professional playbook tailored for enterprise networks.

Immediate Actions: What To Do in the Next 24–72 Hours

If you operate on‑prem SharePoint, prioritize these actions now:

1) Patch and isolate – Apply Microsoft’s latest SharePoint security updates without delay: MSRC Update Guide – If patching requires downtime, restrict internet exposure (WAF, VPN-only access, IP allowlists) until patched. – Check CISA KEV to see if related CVEs are listed and must be patched on a mandated timeline: CISA KEV

2) Hunt for compromise – Look for new or modified GPOs you don’t recognize. – Audit for the “guest” account being enabled, password changes, and membership in local Administrators. – Search for Rclone executions or binaries with suspicious names in odd directories. – Hunt for renamed “cloudflared” or other tunnel binaries establishing outbound connections. – Look for mass service stop events or abrupt EDR/AV service terminations.

3) Harden lateral movement – Temporarily restrict SMB and RDP between segments. – Require just‑in‑time admin access and MFA for RDP. – Enforce network segmentation for SharePoint and domain controllers.

4) Monitor and contain – Ensure your EDR is installed and tuned on SharePoint servers and critical file servers. – Block outbound to unsanctioned cloud storage providers unless explicitly required. – If you find signs of compromise, initiate IR playbooks, preserve forensics, and consider legal engagement.

If you need a step-by-step framework, CISA’s ransomware portal is a strong starting point: StopRansomware.gov.

Detection Engineering: High-Signal Events to Watch

You don’t need perfect visibility to catch this. You need the right signals stitched together. Prioritize:

Active Directory and GPO changes – New GPO creation or link changes (Directory Services logs, Event ID 5136 for AD object changes). – Unusual edits to policies that alter RDP settings, local admin groups, or service configurations. – MITRE: T1484.001 – Domain Policy Modification

Account and group membership events – Guest account enabled/disabled (Security Events: 4722/4725). – Guest password change or reset (4723/4724). – Guest added to local Administrators or sensitive groups (4732/4728, depending on scope).

Remote service activity – Sudden spikes in SMB admin share file copies. – RDP enabled via registry or policy, followed by new RDP logons. – MITRE: T1021 – Remote Services

Process and service tampering – Service stop events on security tools and backup agents. MITRE: T1489 – Service Stop – Parent/child process anomalies from SharePoint worker processes spawning shells or scripting engines.

C2 and tunneling – Unrecognized binaries (especially recently dropped) making outbound connections on atypical ports or to new domains. – Suspicious processes with network connections resembling tunnels (e.g., patterns consistent with renamed cloudflared).

Exfiltration – Process executions containing “rclone” or unusual cloud provider endpoints in command lines. – New binaries with high entropy or uncommon file names placed in ProgramData, Temp, or user profile paths. – MITRE: T1567.002 – Exfiltration to Cloud Storage

Mass encryption behaviors – File rename and write storms with consistent extensions or ransom note file drops (“How to decrypt my data.txt”). – Spikes in CPU/disk IO correlating with process trees tied to recently staged binaries.

For mapping event IDs and enabling advanced auditing, see Microsoft docs: Advanced security auditing.

Pro tip: Deploy Sysmon in high‑value segments and forward logs centrally. It’s free and provides rich telemetry: Sysmon

Hardening Playbook: Reduce Blast Radius Before the Next Attempt

Even if you’ve patched, assume an attacker will try again. This baseline will help:

SharePoint and perimeter – Patch, test, and verify monthly. Subscribe to Microsoft advisories. – Put SharePoint behind a reverse proxy/WAF and minimize public exposure. – Require VPN or ZTNA for admin endpoints.

Identity and privilege – Disable the “guest” account domain‑wide unless explicitly needed and closely monitored. – Enforce least privilege for SharePoint service accounts; remove domain admin privileges from service accounts. – Deploy just‑enough admin (JEA) and just‑in‑time (JIT) access for admins.

GPO hygiene – Implement change management and alerts for new GPOs or edits to security‑relevant policies. – Regularly export and baseline GPOs; diff for unauthorized changes.

Lateral movement controls – Segment networks. Treat SharePoint like a Tier 1 asset. – Restrict SMB and RDP to required flows. Enforce MFA for RDP. Consider RD Gateway with conditional access. – Disable or tightly control local admin accounts. Rotate LAPS‑managed passwords.

Application control and EDR – Block unapproved admin tools and tunneling binaries through allowlists or WDAC/AppLocker. – Ensure EDR coverage on SharePoint, DCs, and file servers. Tune detections for the TTPs above.

Backup and recovery – Maintain offline, immutable backups. Test restore regularly. – Protect backup infrastructure with strong auth and network isolation. – Review recovery time objectives (RTO) for your top 10 business services.

Data exfiltration prevention – Discover and classify sensitive data. Reduce exposure on broad SMB shares. – Monitor for large egress to cloud storage providers and anomalous destinations.

Security awareness and process – Run tabletop exercises specifically for “SharePoint RCE > domain changes > ransomware.” – Pre-stage IR contacts and legal guidance. Speed matters.

Helpful frameworks: NIST’s guidance on recovering from ransomware is pragmatic and detailed: NIST SP 1800‑25

Indicators and Leads: What to Look For During Hunts

While indicators change, here are durable leads: – Unrecognized executables placed in public folders or ProgramData, recently compiled or renamed. – Files named like legitimate security tools (e.g., TrendSecurity.exe) but signed by unknown publishers. – Command lines that include references to cloud storage remotes (common with Rclone). – New GPOs or policy updates not associated with a change ticket. – Registry changes enabling RDP or tampering with service startup types for security tools. – SharePoint worker processes (w3wp.exe) spawning cmd.exe, powershell.exe, or rundll32.exe unexpectedly.

When you find one, pivot out: – Parent/child process chains. – Network connections for the process and siblings. – File write activity around the time of the event. – User context and logon type.

Why Patching Alone Isn’t Enough

Patching closes the front door. But Warlock’s edge comes from what happens after they get in: – GPO changes can persist and redeploy after reboots. – “Guest” account abuse gives stealthy local admin access. – Legitimate tools (cloudflared, Rclone) don’t raise simple AV flags. – Encryption tools kill backup agents to block recovery.

That’s why your response must blend patching, identity hardening, and behavior‑based detection. Here’s why that matters: modern ransomware operators are systems thinkers. They abuse the same controls you use to manage your environment.

Executive Summary You Can Share

  • What happened: Warlock ransomware affiliates are exploiting an on‑prem SharePoint chain (“ToolShell”) for RCE, then using GPOs, the “guest” account, SMB/RDP, and legitimate tools (Cloudflare tunnels, Rclone) to spread, exfiltrate, and encrypt.
  • Who’s affected: Unpatched on‑prem SharePoint environments across multiple regions and sectors.
  • Why it’s serious: The playbook is fast and blends in with admin activity. Recovery is harder due to service/process tampering and data theft.
  • What to do now: Patch SharePoint, restrict exposure, hunt for GPO and guest account changes, detect Rclone and tunneling binaries, lock down SMB/RDP, and test your restores.
  • Where to learn more: MSRC, CISA KEV, Trend Micro Research, MITRE ATT&CK

FAQs

Q: What is the SharePoint “ToolShell” exploit? A: It’s a chain of SharePoint flaws that allow attackers to bypass authentication and achieve remote code execution on on‑prem servers. Microsoft has warned that attackers are actively targeting it. See Microsoft’s security updates for patch guidance: MSRC Update Guide.

Q: How does Warlock ransomware differ from other families? A: Warlock appears to be a customized derivative of the LockBit 3.0 builder, giving it a mature encryptor and flexible configuration. The group’s affiliates also rely on post‑exploitation tradecraft—GPO abuse, guest account manipulation, and living‑off‑the‑land tactics—that speed up impact while evading simple detection.

Q: What are the top indicators of a Warlock intrusion? A: Look for: – New or modified GPOs linked to endpoints. – “Guest” account enabled and added to local Administrators. – Suspicious binaries copied to public folders via admin shares. – Renamed cloudflared tunnel binaries making outbound connections. – Rclone executions or atypical egress to cloud storage providers. – Service stop events targeting security and backup tools. – Ransom note “How to decrypt my data.txt” appearing widely.

Q: We’ve patched SharePoint—are we safe now? A: Patching prevents new initial access via this vector, but you still need to hunt for persistence, privilege changes, and backdoors left by attackers. If compromised before patching, patching alone will not remove footholds.

Q: Can we just block Rclone and be done? A: Blocking Rclone helps, but attackers can swap tools easily. Focus on behaviors (large egress to cloud storage, unusual process trees, newly dropped binaries with network activity) rather than single IOC blocks.

Q: Is this only about on‑prem SharePoint? A: That’s the current focus, but the post‑exploitation tactics are generalizable. Even cloud-first orgs should harden identity, lateral movement, and exfiltration controls.

Q: What logging should we enable to catch this? A: Turn on advanced security auditing for account management and group membership, Directory Services logging for GPO/AD changes, PowerShell logging, Sysmon for process/registry/network events, and centralize logs for correlation. Microsoft’s guide is here: Advanced security auditing.

Q: How should we prepare our backups? A: Keep offline or immutable backups, protect backup consoles with MFA and network isolation, and perform regular recovery drills. NIST provides practical guidance: NIST SP 1800‑25.

The Bottom Line

Warlock’s rise shows how quickly a new ransomware brand can become a global threat when it marries a fresh exploit path (SharePoint ToolShell) with tried‑and‑true enterprise attack techniques. The fix isn’t one thing—it’s defense in depth:

  • Patch SharePoint and reduce its exposure.
  • Monitor for GPO and account abuse.
  • Restrict SMB/RDP and enforce MFA.
  • Detect legitimate tools misused for C2 and exfiltration.
  • Protect and test your backups.

Action now beats forensics later. If this helped, consider subscribing for ongoing guides, threat breakdowns, and practical detection rules tailored to defenders like you.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!