- Warlock Ransomware Group compromised over 60 victims since you came in March 2025
- Sophos highlights advanced tactics including SharePoint utilizations, tunneling and legitimation theft
- The group claims to have sold stolen data from 45% of victims to private buyers
Security researchers have warned of a new ransomware operation that gives a name for themselves pretty quickly.
Sophos has detailed the works of a group that calls themselves Warlock – although different analysts gave the group different names, so Warlock is also traced as Gold Salem by Sophos or Storm -2603 by Microsoft.
Sophos says it “could be the most worrying new load” that has emerged in a while when they managed to compromise with more than 60 victims since March 2025 when it was first observed.
Is Warlock a Chinese player?
It’s not just the number of victims that are worrying here. The group’s operations “reflect both competence and boldness” because in a few months they succeeded in exploiting SharePoint -vulnerable with a custom tool chain, abuse legitimate tools such as velociraptor for hidden tunneling, implementing Mimikatz for ID -Payment loads.
They have also managed to request utilization and access from underground forums despite having no prior public footprint.
Attribution, however, turns out rather difficult. Microsoft refers to Warlock as a “China-based actor,” but Sophos claims the evidence is indispensable. Still, the group was observed targeted at all kinds of organizations, from all kinds of countries and verticals, yet they have skillfully avoided targeting Russian and Chinese organizations.
However, there is an outlier – a single Russian unit was recently added to the group’s data leakage. For Sophos, this information suggests that the group operates outside Russia’s jurisdiction or sphere of influence.
Still, out of the 60+ victims that the group added its site, it claims to have stolen data from 27 to private buyers (about 45%).
What is remarkable here is that only 32% of the victims had their data in public, which suggests that the rest may have paid or got their data sold privately.
Sophos also emphasizes that the 45% claim can be inflated or directly manufactured, as ransomware groups often exaggerate their influence to increase credibility and admit fear.
