- Warlock Ransomware Group committed more than 60 victims since it emerged in March 2025
- Sofos highlights the advanced tactics that include SharePoint exploits, tunnels and theft of credentials
- The group claims to have sold stolen data of 45% of victims to private buyers
Security researchers have warned about a new ransomware operation that makes a name quite fast.
Sofos has detailed the works of a group that calls himself Warlock, although the different analysts gave the group different names, so Warlock is also being tracked as Gold Salem by Sophos, or Storm -2603 by Microsoft.
Sofos says that “it could be the new most worrying strain” that emerged in a long time, since they managed to compromise more than 60 victims since March 2025 when it was first observed.
Is the sorcerer a Chinese player?
It is not just the amount of victims that cares here. The group’s operations “reflect both competition and boldness” because, in a few months, they managed to exploit SharePoint’s vulnerabilities with a custom tool cell chain, abuse legitimate tools such as velociraptor for undercover tunnels, deploy mimikatz for theft of credentials, psexec/impick for the lateral movement and the SCPEs of public service payments.
They have also managed to request feats and access from underground forums despite not having a previous public footprint.
However, attribution is demonstrating to be quite complicated. Microsoft refers to Warlock as a “Chinese actor”, but Sofos argues that the evidence is not conclusive. Even so, it was observed that the group directed to all kinds of organizations, of all kinds of countries and vertical, however, they have skillfully avoided addressing Russian and Chinese organizations.
However, there is an atypical case: a single Russian entity was recently added to the group’s data escape site. For Sofos, this information suggests that the group operates outside the jurisdiction or sphere of influence of Russia.
Even so, of the more than 60 victims that the group added to its site, it claims to have stolen data from 27 to private buyers (approximately 45%).
What is remarkable here is that only 32% of the victims had their publicly filtered data, suggesting that the rest may have paid or that their data were sold privately.
Sofos also emphasizes that the 45% claim can be informed or manufactured directly, since ransomware groups often exaggerate their impact to increase credibility and instill fear.
