Warlock ransomware, once just a brash forum post in June 2025, has moved from obscurity to global notoriety in record time. By July, the new ransomware group was actively exploiting Microsoft’s SharePoint ToolShell vulnerability to compromise organizations across continents.
Trend Micro Unit 42 researchers warn that this combination of a fresh ransomware brand and a widely abused enterprise software flaw has created a more fertile ground for one of the fastest-growing threats of the year (Unit42, 2025). Calling the threat “high-impact,” the researchers pointed out that SaaS environments remained unaffected, but “self-hosted SharePoint deployments—particularly within government, schools, healthcare (including hospitals) and large enterprise companies—[were] at immediate risk.”
Warlock’s rise was unusually swift. The group’s operators introduced themselves on the Russian-language RAMP forum with a flashy pitch: If you want a Lamborghini, please contact me.” Within weeks, the promise of fast money had turned into a sprawling affiliate program. By mid-2025, its victims included organizations across North America, Europe, Asia, and Africa, spanning industries from telecoms and technology to critical infrastructure. On July 23, Microsoft confirmed that a China-based actor, Storm-2603, was distributing Warlock ransomware through compromised SharePoint on-premises servers, just days after warning customers about the exploit chain dubbed ToolShell. By August 20, Trend Micro reported that Warlock had cemented its presence as a key ransomware player, even claiming responsibility for an attack on UK telecoms firm Colt Technology Services (TrendMicro, 2025).
“The Warlock ransomware campaign exemplifies how quickly threat actors can weaponize enterprise vulnerabilities for high-impact extortion activities,” TrendMicro researchers wrote. “Through the exploitation of the SharePoint vulnerabilities, attackers were able to bypass authentication, achieve remote code execution (RCE), and rapidly pivot across compromised networks.”
The success of these campaigns is built upon the precision of their attack chain. Once SharePoint servers are compromised, Warlock affiliates escalate privileges by manipulating Windows accounts, often reactivating the built-in guest account, resetting its password, and granting it administrative rights. A covert command-and-control channel is then established inside the victim environment, sometimes disguised with renamed Cloudflare binaries to evade security systems. The attackers take deliberate steps to disable vendor tools, ensuring their presence remains undetected as they survey the network.
Reconnaissance is followed by lateral movement, with operators collecting detailed system and user data before spreading across machines using remote services such as SMB and RDP. From there, the ransomware binary is distributed widely, often through public folders on multiple endpoints. Once executed, the malware encrypts files, leaves behind ransom notes titled “How to decrypt my data.txt,” and forcibly shuts down processes to maximize disruption and prevent recovery. In parallel, the group exfiltrates sensitive data using RClone, a legitimate file synchronization tool disguised under innocuous names like TrendSecurity.exe. Researchers have linked the ransomware’s codebase to a modified version of the leaked LockBit 3.0 builder, suggesting Warlock is not only organized but technically well equipped.
The bigger story here is not just about a single ransomware strain but about the speed at which new groups can professionalize. Warlock demonstrates how quickly a threat actor can move from online bravado to large-scale, coordinated attacks by exploiting the vulnerabilities enterprises leave unpatched. In less than three months, the group has transformed into a recognizable global menace, illustrating the fluid and opportunistic nature of the ransomware landscape.
The most effective line of defense remains timely patching of on-premises SharePoint servers, alongside layered monitoring and detection strategies. Clearly, the distance between a hacker’s forum boast and a full-scale international ransomware campaign has never been shorter, and the cost of delay in enterprise security has never been higher.