Threat Research

Emulating the Expedited Warlock Ransomware

AttackIQ
Emulating the Expedited Warlock Ransomware

Warlock is a Ransomware-as-a-Service strain first advertised on RAMP in June 2025 and used by the China-based actor Storm-2603 in at least 11 confirmed incidents, primarily targeting unpatched on-premises Microsoft SharePoint servers via the “ToolShell” exploit chain. AttackIQ released emulations and attack graphs to help organizations validate defenses against Warlock’s exploitation and post-compromise behaviors. #Warlock #Storm-2603

Keypoints

  • Warlock emerged in June 2025 as a Ransomware-as-a-Service offering advertised on the Russian Anonymous Marketplace (RAMP).
  • Analysts note operational and tactical similarities between Warlock and the former Black Basta group, suggesting a possible offshoot or rebrand.
  • Storm-2603, a China-based adversary, has been linked to at least 11 confirmed Warlock deployments since mid-July 2025.
  • Operators exploited multiple zero-day SharePoint vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771) — the “ToolShell” chain — to gain unauthenticated access and run arbitrary commands.
  • AttackIQ published emulation attack graphs (late July/early August 2025) to replicate Warlock TTPs so defenders can validate detection and prevention controls.
  • Warlock’s post-compromise behaviors include debugger/sandbox detection, system/process/service discovery, network share and volume enumeration, filesystem traversal, and AES-256/RSA-2048 file encryption.
  • Using AttackIQ’s emulations helps organizations evaluate security control performance, incident response readiness, and reduce exposure to opportunistic ransomware actors.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – Downloads payloads to memory and saves to disk to test network and endpoint controls; quoted: ‘This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.’
  • [T1497] Virtualization/Sandbox Evasion – Executes debugger-detection to evade analysis; quoted: ‘This scenario will execute the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process.’
  • [T1082] System Information Discovery – Retrieves system information via GetNativeSystemInfo to collect host details; quoted: ‘This scenario executes the GetNativeSystemInfo Native API call to retrieve information associated to the system.’
  • [T1082] System Information Discovery – Retrieves computer name via GetComputerNameA to gather host identity; quoted: ‘This scenario executes the GetComputerNameA Windows API call to retrieve a NetBIOS associated with the local computer.’
  • [T1057] Process Discovery – Enumerates running processes using CreateToolhelp32Snapshot, Process32FirstW, and Process32NextW; quoted: ‘This scenario uses Windows API to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW.’
  • [T1007] System Service Discovery – Gathers service information with QueryServiceStatusEx and EnumDependentServices; quoted: ‘This scenario executes the QueryServiceStatusEx and EnumDependentServices Windows API calls to retrieve information pertaining to a given service.’
  • [T1135] Network Share Discovery – Enumerates network shares using NetShareEnum to locate remote resources for encryption; quoted: ‘This scenario executes the NetShareEnum Windows native API call to enumerate network shares from the local computer.’
  • [T1082] System Information Discovery – Enumerates volumes with FindFirstVolumeW and FindNextVolumeW to identify storage targets; quoted: ‘This scenario executes the FindFirstVolumeW and FindNextVolumeW Windows API calls to iterate through the available volumes of the system.’
  • [T1082] System Information Discovery – Uses GetDriveTypeW to identify drive types and target appropriate storage; quoted: ‘This scenario executes the GetDriveTypeW Windows API call to retrieve information regarding the system’s physical drives.’
  • [T1083] File and Directory Discovery – Traverses the filesystem with FindFirstFileW and FindNextFileW to find files to encrypt; quoted: ‘This scenario will call the FindFirstFileW and FindNextFileW Windows API to perform the enumeration of the file system.’
  • [T1486] Data Encrypted for Impact – Encrypts files in place using AES-256-CBC combined with RSA-2048 for key encryption to disrupt availability; quoted: ‘This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by multiple ransomware strains.’

Indicators of Compromise

  • [Vulnerabilities] ToolShell exploit chain – CVE-2025-49704, CVE-2025-49706, and CVE-2025-53770/CVE-2025-53771 (SharePoint zero-days) used to gain unauthenticated access.
  • [File/Artifact Names] Ransomware payload behaviors – use of IsDebuggerPresent, GetNativeSystemInfo, CreateToolhelp32Snapshot API calls (behavioral artifacts rather than specific filenames).
  • [APIs/Windows Calls] Discovery/encryption API usage – NetShareEnum, FindFirstVolumeW/FindNextVolumeW, FindFirstFileW/FindNextFileW observed during intrusions.
  • [Cryptography] Encryption scheme – AES-256-CBC for file encryption and RSA-2048 for key encryption observed in ransomware impact.
  • [Campaign Attribution] Threat actor – Storm-2603 associated with at least 11 confirmed Warlock deployments.

Read more: https://www.attackiq.com/2025/08/27/emulating-warlock-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint