Executive Summary

The Warlock ransomware group has emerged as a formidable threat actor, demonstrating a rapid evolution in its post-exploitation arsenal and operational sophistication. Leveraging advanced techniques such as Bring Your Own Vulnerable Driver (BYOVD), exploitation of unpatched Microsoft SharePoint and SmarterMail servers, and highly effective credential theft and lateral movement strategies, Warlock has successfully targeted organizations across government, finance, manufacturing, and critical infrastructure sectors worldwide. This advisory provides a comprehensive technical analysis of the group’s latest tactics, techniques, and procedures (TTPs), observed attack chains, victimology, and actionable mitigation guidance.

Threat Actor Profile

Warlock is a financially motivated ransomware group first observed in 2023, with activity intensifying through 2024. The group is known for its opportunistic targeting of organizations with exposed or unpatched enterprise software, particularly Microsoft SharePoint, Veeam Backup & Replication, and SmarterMail. Warlock demonstrates a high degree of technical proficiency, employing both public and custom tools for stealth, persistence, and impact. There are indications of possible affiliations or tool-sharing with other prominent ransomware groups such as Black Basta, Storm2603, and LockBit affiliates. The group’s operations are characterized by rapid exploitation, aggressive privilege escalation, and a focus on defense evasion and data exfiltration prior to ransomware deployment.

Technical Analysis of Malware/TTPs

Initial Access:Warlock primarily gains initial access by exploiting unpatched, internet-exposed Microsoft SharePoint servers. The group leverages authentication and deserialization vulnerabilities, including CVE-2023-29357, CVE-2023-24955, CVE-2023-21743, and CVE-2023-28287, to upload web shells via targeted HTTP POST requests. In parallel, the group exploits vulnerabilities in Veeam Backup & Replication (notably CVE-2023-27532) and SmarterMail authentication bypass and remote code execution flaws, as reported in recent campaigns.

Privilege Escalation: Once inside, Warlock abuses Group Policy Objects (GPOs) to establish domain-wide persistence and control. The group is known to activate and elevate the built-in “guest” account to local administrator, facilitating further lateral movement and persistence.

Execution: The group deploys batch files and scripts via cmd.exe to automate the execution of ransomware binaries, process termination, and system modifications. A hallmark of Warlock’s toolkit is the use of BYOVD, where malicious drivers such as googleApiUtil64.sys are installed to disable endpoint security solutions. Custom binaries like vmtools.exe (Trojan.Win64.KILLLAV.I) are used to terminate security and backup processes, ensuring minimal resistance during the attack.

Defense Evasion:Warlock employs DLL sideloading, leveraging legitimate binaries such as MpCmdRun.exe and jcef_helper.exe to load malicious DLLs (mpclient.dll, libcef.dll). The group also renames legitimate tools like RClone (as TrendSecurity.exe) and Cloudflared (as macfee_agent.exe) to evade detection during data exfiltration and command-and-control (C2) tunneling.

Discovery and Lateral Movement: Reconnaissance is conducted using native Windows utilities including nltest, ipconfig, whoami, tasklist, and wmic. Credential dumping is achieved via Mimikatz and registry hive extraction (SAM, SECURITY). Lateral movement is facilitated through SMB/Windows admin shares and by enabling RDP via registry modifications.

Impact: The final stage involves the deployment of ransomware, encrypting files with extensions such as .x2anylock and .xlockxlock. Victims receive a ransom note titled How to decrypt my data.txt. Prior to encryption, sensitive data is exfiltrated to cloud storage (notably Proton Drive) using RClone. Outbound C2 tunnels are established using renamed Cloudflare binaries.

Exploitation in the Wild

Warlock’s campaigns have impacted organizations in North America, Europe, Asia, Africa, and the Middle East, with notable incidents involving government agencies in Portugal, Croatia, and Turkey. The group has also targeted financial institutions, manufacturing firms, and technology providers. Public reporting confirms exploitation of unpatched Microsoft SharePoint and SmarterMail servers, with breaches often resulting in both data theft and operational disruption. The group’s ability to rapidly weaponize new vulnerabilities and pivot across sectors underscores the criticality of timely patch management and proactive threat detection.

Victimology and Targeting

Warlock exhibits opportunistic targeting, focusing on organizations with exposed or outdated enterprise software. Sectors most affected include government, finance, manufacturing, technology, electronics, and critical infrastructure. The group’s victimology suggests a preference for entities with high-value data and operational dependencies on vulnerable platforms. Geographic distribution of victims spans North America, Europe, Asia, Africa, and the Middle East, reflecting a global threat footprint.

Mitigation and Countermeasures

Organizations are strongly advised to implement the following countermeasures to mitigate the risk posed by Warlock and similar ransomware groups:

Ensure all Microsoft SharePoint, Veeam Backup & Replication, and SmarterMail servers are fully patched, with particular attention to CVE-2023-29357, CVE-2023-24955, CVE-2023-21743, CVE-2023-28287, and CVE-2023-27532. Monitor for unusual driver installations indicative of BYOVD attacks, especially the presence of googleApiUtil64.sys and other unsigned drivers. Detect and alert on the creation of new GPOs, elevation of guest accounts, and suspicious process terminations targeting security and backup solutions. Hunt for renamed binaries such as TrendSecurity.exe (RClone) and macfee_agent.exe (Cloudflared), as well as DLL sideloading activity involving MpCmdRun.exe and jcef_helper.exe. Monitor for file encryption events involving .x2anylock and .xlockxlock extensions, and the appearance of ransom notes titled How to decrypt my data.txt. Implement network segmentation and restrict lateral movement by limiting SMB and RDP access, and by monitoring for unauthorized registry modifications. Conduct regular credential hygiene reviews and monitor for anomalous authentication activity, including the use of Mimikatz and registry hive access. Leverage endpoint detection and response (EDR) solutions capable of detecting process injection, driver loading, and suspicious command-line activity. Review and apply detection queries and hunting rules provided by vendors such as Trend Micro and SOC Defenders for the latest indicators of compromise.

References

SOC Defenders: Warlock Ransomware Group Augments Post-Exploitation Activities (https://www.socdefenders.ai/item/5393d3bb-1708-4bb2-9724-33226c81d8fb) Trend Micro: Warlock Ransomware Technical Analysis (https://www.trendmicro.com/en_us/research/25/h/warlock-ransomware.html) NVD: CVE-2023-27532 (Veeam) (https://nvd.nist.gov/vuln/detail/CVE-2023-27532) Dark Reading: Warlock Gang Breaches SmarterTools Via SmarterMail Bugs (https://www.darkreading.com/application-security/warlock-gang-breaches-smartertools-smartermail-bugs) The Hacker News: SmarterMail Exploitation (https://www.facebook.com/thehackernews/posts/%EF%B8%8F%EF%B8%8F-warlock-ransomware-breached-smartertools-via-unpatched-smartermail-vmattacker/1290927716405142/) MITRE ATT&CK: T1211, T1075, T1059, T1021.002, T1003, T1562.001, T1105, T1041 (https://attack.mitre.org/)

About Rescana

Rescana empowers organizations to proactively manage third-party cyber risk with a comprehensive TPRM platform that delivers continuous monitoring, actionable intelligence, and automated risk assessment. Our solutions enable security teams to identify, prioritize, and mitigate threats across their digital supply chain, enhancing resilience against advanced adversaries. For further information or to discuss how Rescana can support your cybersecurity strategy, we are happy to answer questions at ops@rescana.com.