Warlock Ransomware Exploits SharePoint Vulnerabilities in Massive Global Attack Campaign

A sophisticated ransomware campaign targeting Microsoft SharePoint servers has compromised over 400 organizations worldwide, including multiple U.S. government agencies. The attack, led by the Chinese-backed threat group Storm-2603, leverages critical vulnerabilities known as the “ToolShell” exploit chain to deploy Warlock ransomware across compromised networks.

 Description of the Attack

The Warlock ransomware campaign represents a convergence of nation-state espionage tactics and financially motivated cybercrime, targeting Microsoft SharePoint servers through a sophisticated exploit chain known as “ToolShell.”

• Storm-2603, a suspected China-based threat actor, has been deploying Warlock ransomware since July 18, 2025
• The attack exploits CVE-2025-53770, a critical remote code execution vulnerability with a CVSS score of 9.8
• CVE-2025-53771, a spoofing vulnerability, is used in combination to bypass authentication mechanisms
• These vulnerabilities are variants of earlier flaws (CVE-2025-49704 and CVE-2025-49706) that Microsoft had previously patched
• Threat actors discovered methods to bypass the original security fixes
• The exploit chain bypasses multi-factor authentication and single sign-on protections
• Attackers gain complete access to SharePoint content and can execute arbitrary code over the network
• No user interaction is required for successful exploitation

This attack demonstrates how sophisticated threat actors can weaponize patch bypasses to conduct large-scale ransomware campaigns against critical infrastructure and government targets.

 Severity of the Issue

This attack campaign represents one of the most significant cybersecurity incidents of 2025. The severity is amplified by several factors:

• Over 400 organizations have been actively compromised across four distinct attack waves
• Multiple U.S. federal agencies affected, including the Departments of Energy, Homeland Security, and Health and Human Services
• The National Nuclear Security Administration was among the compromised entities
• Critical infrastructure operators, including the California Independent System Operator, were impacted
• SharePoint’s deep integration with Microsoft’s ecosystem means compromises can spread to Office, Teams, OneDrive, and Outlook

The global scope of the attack is staggering, with victims identified across 21 countries spanning every geographical region. The United States accounts for over 13% of all attacks, making it the most heavily targeted nation.

 How the Vulnerability is Exploited

The ToolShell attack chain operates through a sophisticated multi-stage process that leverages both authentication bypass and remote code execution vulnerabilities to gain persistent access to SharePoint environments.

• Attackers send crafted POST requests to SharePoint’s “/_layouts/15/ToolPane.aspx” endpoint
• A spoofed Referer header set to “_layouts/SignOut.aspx” is used to bypass authentication controls
• CVE-2025-53771 enables spoofing of legitimate SharePoint workflows to gain initial access
• CVE-2025-53770 is then exploited through unsafe deserialization of untrusted data
• Malicious serialized input is processed by SharePoint, allowing remote code execution
• The “spinstall0.aspx” web shell is deployed to provide persistent backdoor access
• Legitimate system processes like cmd.exe, w3wp.exe, and services.exe are used for reconnaissance
• Attackers steal cryptographic machine keys, specifically ValidationKey and DecryptionKey from ASP.NET
• Stolen keys allow forgery of authentication tokens and crafting of malicious __VIEWSTATE payloads
• Mimikatz hacking tool extracts plaintext credentials from LSASS memory
• PsExec is used for lateral movement through compromised networks
• Group Policy Objects are modified to distribute Warlock ransomware throughout the environment

This sophisticated attack methodology provides persistent access that can survive standard mitigation efforts like server reboots or web shell removal, making it particularly dangerous for targeted organizations.

(Storm-2603 attack chain exploiting SharePoint vulnerabilities and leading to ransomware – Source: Microsoft Threat Intelligence)

 Who is Behind the Issue

The SharePoint vulnerability exploitation campaign involves multiple Chinese threat actors with different motivations and capabilities, ranging from state-sponsored espionage groups to financially motivated cybercriminals.

• Storm-2603: Primary threat actor responsible for Warlock ransomware deployment, suspected China-based cybercriminal group
• Previously observed deploying both Warlock and LockBit ransomware in past campaigns
• Appears to operate as a financially motivated threat group, though state connections remain unclear
• Microsoft cannot confidently assess their exact objectives or sponsorship
• Linen Typhoon (Emissary Panda, APT27): Confirmed Chinese state-sponsored group focused on intellectual property theft
• Violet Typhoon (Zirconium, Judgment Panda, APT31): State-sponsored espionage group conducting intelligence operations
• Both state groups have over a decade of documented activity targeting Western organizations
• All three groups are exploiting the same SharePoint vulnerabilities for their respective missions

The involvement of both state-sponsored and criminal groups in exploiting the same vulnerabilities demonstrates the high value of these exploits and the serious threat they pose to organizations worldwide.

 Who is at Risk

Organizations running on-premises Microsoft SharePoint servers are the primary targets of this campaign. The affected versions include SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Importantly, SharePoint Online in Microsoft 365 is not impacted by these vulnerabilities.

The attack has demonstrated a particular focus on high-value targets:

• Government agencies at federal, state, and local levels
• Critical infrastructure operators, especially energy sector organizations
• Educational institutions
• Healthcare organizations
• Professional services firms
• Manufacturing companies
• Financial services organizations

Organizations with internet-facing SharePoint servers are at the highest risk, as the vulnerabilities can be exploited remotely without any authentication. The Shadowserver Foundation identified nearly 11,000 SharePoint instances still exposed to the internet as of July 24, 2025, representing a significant pool of potential victims.

Small and medium-sized businesses are particularly vulnerable due to limited cybersecurity resources and potentially delayed patch deployment cycles. The automated nature of many exploitation attempts means attackers are not discriminating based on organization size.

(SharePoint IPs confirmed vulnerable to CVE-2025-53770, CVE-2025-53771 – Source: Shasowserver Foundation)

 Remediation Efforts

Microsoft has released comprehensive security updates that fully address CVE-2025-53770 and CVE-2025-53771 for all supported versions of SharePoint Server. Organizations must take immediate action:

Immediate Patching Requirements:

• Apply the July 2025 security updates for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016
• Ensure systems are upgraded to supported versions of SharePoint Server
• Restart IIS on all SharePoint servers using iisreset.exe after applying patches

Security Configuration Enhancements:

• Enable and properly configure Antimalware Scan Interface (AMSI) integration in SharePoint
• Deploy Microsoft Defender Antivirus on all SharePoint servers
• Configure AMSI in Full Mode for optimal protection
• Enable HTTP Request Body scanning where available

Cryptographic Key Management:

• Immediately rotate ASP.NET machine keys before applying patches
• Rotate machine keys again after installing security updates
• Monitor for unauthorized access to machine key storage locations

Network Security Measures:

• Disconnect public-facing SharePoint servers that have reached end-of-life from the internet
• Implement network segmentation to limit lateral movement
• Monitor for suspicious network communications to known command and control infrastructure

Threat Hunting and Detection:

• Search for the creation of “spinstall0.aspx” and “info3.aspx” files in SharePoint layouts directories
• Monitor for process creations where w3wp.exe spawns encoded PowerShell commands
• Look for modifications to Group Policy Objects that could distribute ransomware
• Examine network logs for POST requests to “/_layouts/15/ToolPane.aspx” with suspicious Referer headers

Organizations should operate under the assumption that any internet-facing SharePoint server from the past month has been compromised and conduct thorough forensic investigations.

 How CinchOps Can Help

The Warlock ransomware campaign targeting SharePoint servers demonstrates the critical importance of proactive cybersecurity measures and rapid incident response capabilities. CinchOps provides comprehensive managed IT services designed to protect your organization from sophisticated threats like this.

• 24/7 Security Monitoring: CinchOps continuously monitors your network for indicators of compromise, including the specific tactics used by Storm-2603 and other threat actors
• Vulnerability Management: We maintain current patch levels across your entire IT infrastructure, ensuring critical security updates like the SharePoint patches are applied immediately
• Incident Response Services: CinchOps can rapidly contain and remediate ransomware attacks, minimizing business disruption and data loss
• Backup and Recovery Solutions: We implement robust backup strategies that protect against ransomware encryption, ensuring your data remains accessible even during an attack
• Network Segmentation: Our network design expertise helps limit the spread of attacks through proper segmentation and access controls
• Employee Security Training: We provide comprehensive cybersecurity awareness training to help your staff recognize and report potential threats
• Threat Intelligence: Our threat intelligence services keep your organization informed about emerging threats and attack campaigns like the Warlock ransomware operation

Don’t let your organization become the next victim of sophisticated ransomware campaigns. Contact CinchOps today to strengthen your cybersecurity posture and protect your critical business assets.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Microsoft Releases Emergency SharePoint Updates Following Global ToolShell Attacks
For Additional Information on this topic: Disrupting active exploitation of on-premises SharePoint vulnerabilities

FREE CYBERSECURITY ASSESSMENT