CyberDudeBivash
A sophisticated ransomware campaign led by the Warlock gang—a likely offshoot of Black Basta—is actively exploiting unpatched Microsoft SharePoint servers, impacting over 400 organizations globally, including U.S. federal systems and a nuclear research agency.The scale, precision, and persistence of this attack have set off high-priority alerts across government, defense, and enterprise sectors.
🔸 Targeted System: Microsoft SharePoint
🔸 Exploitation Method: Known CVEs & zero-day chaining
🔸 Victim Count: 400+ orgs globally
🔸 High-Value Target: U.S. Nuclear Infrastructure
🔸 Persistence Risk: Attackers remain in the environment even post-patch
The attackers scan for exposed and unpatched SharePoint instances, exploiting:
They deploy a web shell or PowerShell loader for lateral movement.
Once inside, Warlock actors:
The ransomware payload is deployed via:
PsExec or WMICC:\ProgramData\Warlock\.wrlock extensionEven if organizations patch CVEs post-breach, Warlock actors persist using:
| Type | Value |
|---|---|
| Filename | update_wrlock.ps1 |
| Domain | hxxp://wrlockcontrol[.]onion |
| Registry | HKLM\Software\WrSys\Check |
| Extension | .wrlock |
✔️ Patch immediately — especially CVE‑2023‑29357 & CVE‑2023‑24955
✔️ Audit SharePoint logs for privilege changes and web shell activity
✔️ Hunt for persistence: check Scheduled Tasks, registry, and unknown accounts
✔️ Isolate breached systems — assume persistence until proven otherwise
✔️ Deploy YARA rules & EDR policies to detect lateral movement scripts
“This attack shows us that patching is necessary but not enough. Post-exploit persistence is the real battlefield. Assume breach. Hunt hard. Respond fast.”
The Warlock gang isn’t just dropping ransomware—they’re leaving digital landmines behind. Your SharePoint server might be patched, but the backdoor may still be wide open.
🔗 Full Technical Blog Post → cyberdudebivash.com
🧠 Stay ahead with our daily threat intel reports & exploit breakdowns.