![[Unnamed Victim Organization]](https://imagesblog.blob.core.windows.net/blog/ransomware1.jpg)
An unnamed organization fell victim to a multi-vector ransomware attack orchestrated by threat actors linked to Warlock ransomware, with ties to Storm-2603, a China-based group known for exploiting Microsoft SharePoint vulnerabilities. The attackers abused Velociraptor, an open-source DFIR tool, to facilitate the intrusion before deploying Warlock, LockBit, and Babuk ransomware across the victim’s infrastructure. The attack targeted VMware ESXi virtual machines (VMs) and Windows servers, leading to widespread encryption of critical systems and severe disruption of the IT environment. The incident involved data exfiltration (as evidenced by the use of Warlock’s data leak site) and operational paralysis, likely halting business functions dependent on the encrypted servers. The coordinated use of multiple ransomware strains suggests a highly sophisticated and destructive attack, designed to maximize pressure on the victim for ransom payment. The involvement of Storm-2603 a group with a history of exploiting zero-day vulnerabilities further indicates advanced persistence and lateral movement tactics, compounding the damage. The attack’s scale and method imply long-term recovery challenges, including potential financial losses, reputational harm, and regulatory scrutiny due to compromised data.
TPRM report: https://www.rankiteo.com/company/equiphumanity
"id": "equ3532035101025",
"linkid": "equiphumanity",
"type": "Ransomware",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'type': 'organization (unnamed)'}],
'attack_vector': ['exploitation of Velociraptor DFIR tool',
'ransomware deployment (Warlock, LockBit, Babuk)',
'VMware ESXi and Windows server encryption'],
'data_breach': {'data_encryption': ['VMware ESXi VMs', 'Windows servers']},
'date_detected': '2025-08',
'date_publicly_disclosed': '2025-08',
'description': 'Velociraptor, an open-source Digital Forensics and Incident '
'Response (DFIR) tool designed to hunt intruders, has been '
'repurposed by threat actors in ransomware operations. A '
'China-based group, Storm-2603 (previously known for '
'exploiting Microsoft SharePoint vulnerabilities), was '
'observed abusing Velociraptor in a multi-vector ransomware '
'attack. The incident, detected by Cisco Talos in August 2025, '
'involved the deployment of Warlock, LockBit, and Babuk '
'ransomware to encrypt VMware ESXi virtual machines (VMs) and '
"Windows servers, severely disrupting the victim's IT "
'environment.',
'impact': {'downtime': 'severe (IT environment disruption)',
'operational_impact': 'high (encryption of critical systems)',
'systems_affected': ['VMware ESXi virtual machines (VMs)',
'Windows servers']},
'initial_access_broker': {'entry_point': ['abuse of Velociraptor DFIR tool'],
'high_value_targets': ['VMware ESXi VMs',
'Windows servers']},
'investigation_status': 'ongoing (as of August 2025)',
'motivation': ['financial gain (ransomware extortion)',
'disruption of IT operations'],
'post_incident_analysis': {'root_causes': ['abuse of legitimate DFIR tool '
'(Velociraptor) for malicious '
'purposes',
'potential prior exploitation of '
'SharePoint vulnerabilities '
'(historical context)']},
'ransomware': {'data_encryption': True,
'ransomware_strain': ['Warlock', 'LockBit', 'Babuk']},
'references': [{'date_accessed': '2025-08', 'source': 'Cisco Talos Blog'}],
'response': {'incident_response_plan_activated': True,
'third_party_assistance': ['Cisco Talos']},
'threat_actor': ['Storm-2603 (China-based)',
'affiliates of Warlock ransomware'],
'title': 'Velociraptor DFIR Tool Abused in Coordinated Ransomware Operations '
'by Storm-2603',
'type': ['ransomware', 'tool abuse', 'multi-vector attack'],
'vulnerability_exploited': ['abuse of Velociraptor tool',
'potential prior SharePoint vulnerabilities '
'(historical context for Storm-2603)']}