How the actions of the Warlock group expose technical vulnerabilities and structural challenges to cybersecurity in Brazil.
By Luiz F. Freitas-Gutierres
Since the second quarter of 2025, Dragos identified the group of ransomware Known as Warlock, it is an emerging threat to both corporations and industrial environments. Alarmingly, Dragos reported that, during the third quarter of 2025, the Warlock group was responsible for 18 confirmed incidents, affecting victims in sectors such as aerospace, maritime, manufacturing, pharmaceuticals, and petrochemicals. As it rose prominently in the ecosystem of ransomware By mid-2025, Warlock demonstrated high operational maturity, evidenced by both the severity of the impacts and the volume of attacks conducted in its campaigns. To date, a total of 78 victims have been publicly recorded on the platform. ransomware.live.
The Warlock group operates under the model of ransomware-as-a-service (RaaS), that is, cybercriminals provide the infrastructure, supply the cyber arsenal (malware and scripts (malicious) and offer technical support to affiliates. These third parties conduct the attacks in exchange for a share of the profits obtained from the ransoms. Generally, malicious actors employ a double extortion strategy against their targets. This consists of combining the unavailability of assets through encryption with the threat of leaking exfiltrated data (potentially sensitive information), increasing the pressure on victims to pay the ransom.
Additionally, the Warlock group has demonstrated advanced vulnerability exploitation capabilities. zero-day — security flaws unknown to the vendor and for which no patch is yet available at the time of exploitation — such as the set of critical flaws known as ToolShell, publicly announced in the beginning of the second half of 2025 and affecting Microsoft SharePoint servers. on-premises (CVE-2025-53770, with a CVSS v3.1 score of 9.8, together with the CVE-2025-53771The group also explored other vulnerabilities, such as CVE-2025-49704 and the CVE-2025-49706.
Beyond the initial compromise, Warlock operations frequently result in operational disruptions, data exfiltration, and subsequent exposure in the public sphere. Darknet, reputational damage and financial losses. The group implements a payload in ransomware also known as Warlock, through which the victims' files are encrypted and given extensions such as ".x2anylock". Furthermore, volume shadow copies and backups Data is excluded from the system with the aim of hindering or preventing recovery efforts.
In the Brazilian context, and using specialized mechanisms for indexing exposed services, several instances were identified that appear to be running versions of Microsoft SharePoint vulnerable to the vulnerabilities exploited by Warlock in its campaigns. By the end of 2025, 23 instances were observed exposing HTTP headers compatible with Microsoft SharePoint 2016, 2019, and Subscription Edition (SE), in versions that, in theory, precede the cumulative security updates that fix the ToolShell. Considering that the fixes for the vulnerabilities CVE-2025-53770 and CVE-2025-53771 These features were made available in recent updates; such instances can be classified as potentially vulnerable to ToolShell, provided they have not received patches Additional undetectable entities. Although not a large absolute number, the results include organizations belonging to the electricity sector, government institutions, and educational/university centers. Companies linked to the generation, transmission, and distribution of electricity, as well as government agencies, are considered. critical infrastructure, ...whose unavailability or compromise can generate systemic impacts on society. Cases linked to the education sector, although not formally classified as critical infrastructure, remain of high interest to cybercriminals due to the volume and sensitivity of personal data they can store, including full name, affiliation, professional/academic history, and official documents. It is also worth highlighting 18 observed instances compatible with legacy versions of Microsoft SharePoint 2007, 2010, and 2013. These platforms had their official support discontinued several years ago, ceasing to receive security updates since then, and are vulnerable to multiple known vulnerabilities. However, it is important to emphasize that the results presented require further validation. Even so, they offer an idea of the attack surface in the Brazilian cyber domain.
Defense teams must be prepared and adopt best practices for preparedness and prevention against incidents of ransomware, including maintenance of backups regular, encrypted and maintained offline. Furthermore, it is essential that these backups They should be periodically tested through incident simulation exercises to ensure their integrity, availability, and restorability. It is equally important to ensure that they remain offline, since, as discussed earlier, the Warlock and other groups of ransomware They typically carry out recognition activities aimed at identifying and engaging with backups, with the aim of preventing data recovery before the ransom is paid.
Another good security practice is to avoid exposing services to the Internet that have known vulnerabilities or inadequate configurations, as observed in the cases above of risk of exploitation through... ToolShell. Furthermore, systems must be continuously updated and patched, always keeping them on the latest versions released by manufacturers. Other cybersecurity recommendations and mitigation strategies against ransomware can be consulted at # Stop Ransomware Guide, developed by a task force co-chaired by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) of the United States.
For additional information on the Warlock group and its tactics, techniques, and procedures, it is recommended to consult the fourth publication of volume 2025 of Ind.Cyber.Sec Letters, entitled Profiling Warlock Ransomware Group.
Notice: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies
Article originally published on the IT Forum website: https://itforum.com.br/colunas/as-operacoes-do-grupo-de-ransomware-warlock-e-os-riscos-potenciais-ao-dominio-cibernetico-brasileiro/
