Ransomware cyber

US Energy Department

Jul 25, 2025 1 min read
US Energy Department

The US Energy Department, including its National Nuclear Security Administration (NNSA), which maintains America's nuclear weapons, was among the victims of the ransomware attack exploiting vulnerable on-premises SharePoint servers. The attack involved the deployment of Warlock ransomware by the threat group Storm-2603, which exploited security holes to compromise more than 400 organizations. The attackers disabled Microsoft Defender protections, stole user credentials, and moved laterally through the network, causing significant disruption and potential data loss.

Source: https://www.theregister.com/2025/07/24/microsoft_sharepoint_ransomware/

TPRM report: https://scoringcyber.rankiteo.com/company/energy

"id": "ene338072525",
"linkid": "energy",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'industry': 'Energy',
                        'location': 'United States',
                        'name': 'US Energy Department',
                        'type': 'Government Agency'},
                       {'industry': 'Nuclear Security',
                        'location': 'United States',
                        'name': 'National Nuclear Security Administration '
                                '(NNSA)',
                        'type': 'Government Agency'}],
 'attack_vector': 'Vulnerability Exploitation',
 'date_detected': '2023-07-18',
 'date_publicly_disclosed': '2023-07-19',
 'description': 'Ransomware attack by Storm-2603 exploiting vulnerabilities in '
                'on-premises SharePoint servers to deploy Warlock and Lockbit '
                'ransomware.',
 'impact': {'systems_affected': ['SharePoint Enterprise Server 2016',
                                 'SharePoint Server 2019',
                                 'SharePoint Server Subscription Edition']},
 'initial_access_broker': {'backdoors_established': 'Web shells',
                           'entry_point': 'Vulnerable SharePoint servers'},
 'investigation_status': 'Ongoing',
 'motivation': 'Financial Gain',
 'post_incident_analysis': {'corrective_actions': 'Patching vulnerabilities',
                            'root_causes': 'Vulnerabilities in on-premises '
                                           'SharePoint servers'},
 'ransomware': {'ransomware_strain': ['Warlock', 'Lockbit']},
 'recommendations': ['Implement mitigations and security updates immediately'],
 'references': [{'source': 'The Register'}],
 'response': {'containment_measures': ['Disabling Microsoft Defender '
                                       'protections',
                                       'Establishing persistence using web '
                                       'shells',
                                       'Creating scheduled tasks',
                                       'Manipulating IIS components'],
              'remediation_measures': ['Patching vulnerabilities',
                                       'Implementing mitigations']},
 'threat_actor': 'Storm-2603',
 'title': 'Ransomware Attack Exploiting Vulnerable SharePoint Servers',
 'type': 'Ransomware',
 'vulnerability_exploited': ['CVE-2025-49704',
                             'CVE-2025-49706',
                             'CVE-2025-53770',
                             'CVE-2025-53771']}
Published by
Jeremy C
Jeremy C
You might also like
Ransomware cyber

NHS

public 1 min read
The NHS has faced disruptions from ransomware attacks, which have crippled services for days or weeks, contributed to a death,…
Jeremy C Jeremy C
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.