Shutter2U - stock.adobe.com
Warlock ransomware may be linked to Chinese state
The operators of Warlock ransomware who exploited a set of SharePoint Server vulns earlier in 2025 likely have some kind of link to the Chinese government, researchers claim
An emergent strain of ransomware known as Warlock – which was linked to multiple attacks orchestrated via vulnerabilities in on-premise Microsoft SharePoint Server instances during the summer of 2025 – has been linked to Chinese nation-state threat actors with a high degree of certainty by researchers at Halcyon’s Ransomware Research Centre.
The SharePoint attacks arose through a vulnerability chain dubbed ToolShell, and were quickly linked to two known Chinese advanced persistent threat (APT) groups – Linen Typhoon and Violet Typhoon – by Microsoft.
At the same time, Microsoft observed an unclassified threat actor known as Storm-2603 exploiting the ToolShell vulnerabilities, and swiftly stood up a link to Warlock. By late August, Warlock’s operators had claimed a number of victims including telecoms firms Colt and Orange.
Two months on, Halcyon’s team now says that Warlock likely has ties to the Chinese APTs named by Microsoft, an assessment it has based on the gang’s early access to ToolShell, and new malware samples and technical analysis, which it claims highlights professional-grade development more consistent with well-funded state groups than criminals.
“Our new technical analysis included identifying that Warlock planned from the beginning to deploy multiple ransomware families to confuse attribution, evade detection and accelerate impact. Based on technical overlaps, Halcyon tracks Warlock as the same group as Storm-2603 – Microsoft – and Cl-CRI-1040 – Palo Alto Unit 42,” said the team.
The Halcyon team also firmed up previously suggested links to LockBit, stating that Warlock enjoyed “the distinction” of having been the final LockBit affiliate registered prior to the May 2025 data leak and had leveraged LockBit 3.0 as an operational tool and a development foundation for its own ransomware locker.
Cynthia Kaiser, senior vice-president at Halcyon’s Ransomware Research Center, said the attribution did not come out of the blue given the high-profile and widely reported nature of the Sharepoint breach.
“That said, these findings are particularly significant because it raises the concern of more ransomware attacks resulting from nation-state activity moving forward,” Kaiser told Computer Weekly. “Historically, ransomware attacks and nation-state attacks [or] espionage have had separate motivations and tactics to achieve their goals – to know that ransomware may be a runoff impact of nation-state activity puts more strain on network defenders who may not be prepared.”
In this instance, Kasier said, it was hard to pin down the precise nature of the supposed relationship – Warlock’s operators may be leveraging personal connections having worked with Chinese state cyber agents in the past, or the collaboration may be rather more directly official, possibly even directly contracted. “We would expect most of this activity had tacit, but not necessarily explicit, approval from Beijing,” she added.
New frontier
This is not necessarily the first time financially motivated Chinese cyber criminals have been allowed to operate without repercussions from the government – Kaiser cited the Hafnium attacks on Microsoft Exchange Server back in 2021 which also demonstrated a degree of overlap.
Nevertheless, Kaiser said she expected this trend to grow, and the gathering expansion of Chinese cyber espionage into adjacent areas represents a new and dangerous frontier for defenders.
“It’s important for network defenders to be cognisant of the potential for espionage campaigns to morph into ransomware attacks. Network defenders may not naturally think about ransomware when they are dealing with a nation-state attack,” said Kaiser. “What used to be binary focuses between ransomware and nation-state attacks must now be considered together. This is not just a China issue. We need to be prepared for his becoming more commonplace across the board – this is not a one-off instance.”
Timeline: ToolShell SharePoint cyber attacks
- 21 July 2025: The active exploitation of a dangerous zero-day vulnerability chain in Microsoft SharePoint – which was disclosed over the weekend – is underway. Immediate action is advised.
- 22 July: Exploitation of the ToolShell RCE zero-day in Microsoft SharePoint continues to gather pace, with evidence emerging of exploitation by nation-state-backed threat actors.
- 22 July: Microsoft confirms two known China-nexus threat actors, and one other suspected state-backed hacking group, are exploiting vulnerabilities in SharePoint Server.
- 23 July: US nuclear agency hacked in Microsoft SharePoint frenzy. (Dark Reading)
- 24 July: Microsoft’s security analysts confirm a number of cyber attacks on on-premise SharePoint Server users involve ransomware.
- 30 July: African organisations fall to mass Microsoft SharePoint exploits. (Dark Reading)
- 1 August: Palo Alto Networks is investigating ransomware threat related to SharePoint exploitation. (Cybersecurity Dive)
- 8 August: Financially motivated cluster a key player in ToolShell exploitation. (Cybersecurity Dive)
- 15 August: UK network services firm Colt is attempting to recover various customer-facing systems following a cyber attack that has been claimed by the Warlock ransomware gang and may have arisen via a SharePoint flaw.
- 20 August: Ransomware gang Warlock is adding more victims to its data leak site as the impact of a spreading wave of cyber attacks continues to be felt.
