The company fell victim to a sophisticated ransomware attack orchestrated by the Storm-2603 gang (linked to Warlock, LockBit, and Babuk variants). Attackers exploited Microsoft SharePoint zero-day vulnerabilities (ToolShell) to gain initial access, then deployed an outdated, vulnerable version of Velociraptor (0.73.4.0, with CVE-2025-6264) to maintain stealthy persistence. They disabled Active Directory protections (real-time monitoring, behavior/file scanning) and used Smbexec for lateral movement. A fileless PowerShell script served as the primary encryptor, while LockBit, Warlock (xlockxlock), and Babuk (.babyk) ransomware variants were deployed across VMware ESXi virtual machines and Windows/Linux servers. The attack included double extortion: data exfiltration (via a PowerShell script with suppressed progress indicators) followed by mass encryption. Partial encryption on ESXi servers suggested operational hurdles, but the attack disrupted core systems, risking data loss, operational outages, and financial/reputational damage. The gang’s ties to Chinese nation-state actors (PRC) and use of three ransomware strains in a single attack underscored its advanced, persistent threat (APT) capabilities.
Source: https://www.theregister.com/2025/10/10/ransomware_velociraptor/
TPRM report: https://www.rankiteo.com/company/equiphumanity
"id": "equ2592025101025",
"linkid": "equiphumanity",
"type": "Ransomware",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'type': 'Organization (Victim)'}],
'attack_vector': ['Exploitation of Public-Facing Application (Microsoft '
'SharePoint ToolShell vulnerabilities)',
'Valid Accounts (via Velociraptor persistence)',
'Remote Services (SMB via Smbexec)',
'PowerShell Scripting'],
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'date_detected': '2024-08-01',
'date_publicly_disclosed': '2024-09-12',
'description': 'The ransomware gang Storm-2603 (also tracked as Warlock, '
'CL-CRI-1040, and a LockBit affiliate) exploited Microsoft '
'SharePoint zero-day vulnerabilities (ToolShell) to deploy a '
'multi-ransomware attack using Warlock, LockBit, and Babuk '
'variants. The attackers repurposed the open-source digital '
'forensics tool Velociraptor (v0.73.4.0, vulnerable to '
'CVE-2025-6264) to maintain stealthy persistence, disable '
'security controls (e.g., Active Directory real-time '
'protection), and execute fileless PowerShell scripts for '
'encryption and data exfiltration. The attack targeted VMware '
'ESXi virtual machines and Windows servers, with partial '
'encryption observed on Linux (ESXi) systems. A '
'double-extortion tactic was employed, with data exfiltrated '
'prior to encryption. The group is suspected to have ties to '
'Chinese nation-state actors but operates as a financially '
'motivated ransomware affiliate.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'downtime': True,
'operational_impact': True,
'systems_affected': ['VMware ESXi virtual machines',
'Windows servers',
'Linux (ESXi) servers']},
'initial_access_broker': {'backdoors_established': ['Velociraptor '
'(v0.73.4.0)'],
'entry_point': 'Microsoft SharePoint ToolShell '
'vulnerabilities (high confidence)',
'high_value_targets': ['VMware ESXi virtual '
'machines',
'Windows servers',
'Active Directory']},
'investigation_status': 'Ongoing (limited visibility due to partial victim '
'data access)',
'lessons_learned': ['Legitimate open-source tools (e.g., Velociraptor) can be '
'repurposed by threat actors to evade detection.',
'Multi-ransomware deployment in a single attack is a '
'hallmark of Storm-2603, increasing operational '
'resilience for attackers.',
'Disabling security controls (e.g., Active Directory '
'real-time protection) is a critical step in ransomware '
'attacks.',
'Fileless PowerShell scripts with suppressed progress '
"indicators ($ProgressPreference = 'SilentlyContinue') "
'can bypass traditional detection mechanisms.',
'Patching known vulnerabilities (e.g., SharePoint '
'ToolShell) is essential to prevent initial access.'],
'motivation': ['Financial Gain',
'Potential Nation-State Alignment (suspected PRC ties)'],
'post_incident_analysis': {'corrective_actions': ['Immediate patching of '
'SharePoint and '
'Velociraptor '
'vulnerabilities.',
'Enhanced monitoring for '
'DFIR tool abuse and '
'fileless attacks.',
'Hardening of Active '
'Directory and SMB '
'protocols.',
'Review of third-party tool '
'deployment policies.'],
'root_causes': ['Unpatched SharePoint '
'vulnerabilities enabling initial '
'access.',
'Lack of detection for repurposed '
'legitimate tools (Velociraptor).',
'Insufficient controls on '
'PowerShell and SMB lateral '
'movement.',
'Disabled or bypassed endpoint '
'security monitoring (Active '
'Directory real-time '
'protection).']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': ['Warlock', 'LockBit', 'Babuk']},
'recommendations': ['Patch all Microsoft SharePoint servers against ToolShell '
'vulnerabilities immediately.',
'Monitor for unauthorized use of Velociraptor or other '
'legitimate DFIR tools (refer to Rapid7’s detection '
'guidelines).',
'Implement strict controls on PowerShell script execution '
'and SMB lateral movement (e.g., Smbexec).',
'Enable tamper-proof logging for Active Directory and '
'endpoint security configurations.',
'Deploy behavioral detection for fileless attacks and '
'unusual encryption processes.',
'Assume breach posture: proactively hunt for persistence '
'mechanisms like outdated Velociraptor agents.'],
'references': [{'date_accessed': '2024-09-12',
'source': 'Cisco Talos Threat Report'},
{'source': 'Microsoft Security Blog (July 2024)'},
{'source': 'Halcyon Ransomware Report (September 2024)'},
{'source': 'Rapid7 Velociraptor Misuse Detection Guidelines'}],
'response': {'incident_response_plan_activated': True,
'remediation_measures': ['Patching SharePoint vulnerabilities',
'Detecting Velociraptor misuse (per '
'Rapid7 guidelines)'],
'third_party_assistance': ['Cisco Talos']},
'threat_actor': ['Storm-2603', 'Warlock', 'CL-CRI-1040', 'LockBit Affiliate'],
'title': 'Storm-2603 Ransomware Attack Exploiting Microsoft SharePoint '
'Zero-Days and Velociraptor for Persistence',
'type': ['Ransomware',
'Data Breach',
'Privilege Escalation',
'Persistence',
'Double Extortion'],
'vulnerability_exploited': ['Microsoft SharePoint ToolShell vulnerabilities '
'(zero-day, patched post-exploitation)',
'Velociraptor CVE-2025-6264 (privilege escalation '
'to arbitrary command execution)']}