Microsoft SharePoint Hackers Switch Gears to Spread Ransomware

Recent attacks targeting Microsoft SharePoint have escalated, with threat actors now deploying ransomware on vulnerable systems, according to Microsoft. This surge in malicious activity follows the release of multiple SharePoint security patches in July.

An update published to Microsoft’s blog reads, in part: “Expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603 leading to the deployment of Warlock ransomware.”

Detailing the attack

At least three threat groups believed to be affiliated with China have been exploiting publicly known vulnerabilities in Microsoft SharePoint, according to Microsoft. These include the Linen Typhoon, Violet Typhoon, and Storm-2603.

The attackers exploited multiple weaknesses in on-premises SharePoint servers — including remote code execution (RCE), credential spoofing, and improper authentication — to gain unauthorized access. Once inside, they were able to infiltrate internal file systems and extra sensitive data that could be used for surveillance, impersonation, or extortion.

Microsoft issued patches to address the affected vulnerabilities — CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 — in two separate rounds of security patches in early and mid-July. Despite these efforts, the company warned that ransomware is now being deployed on unpatched systems, including by Storm-2603.

Who is Storm-2603?

While Linen Typhoon and Violet Typhoon are already known to be China-based, Microsoft said it has “medium confidence” that Storm-2603 originates from China.

Regardless of where they’re located, Storm-2603 is known for their ransomware attacks. They have used LockBit and Warlock ransomware in the past, with the latter also being used for their most recent attacks against SharePoint.

What is Warlock ransomware?

According to Watchguard’s ransomware tracker, Warlock is classified as crypto-ransomware and was first detected in June 2025. As of this writing, there are nearly 20 known victims across the US, Canada, Germany, China, and several other countries.

Microsoft Threat Intelligence identified several indicators of compromise (IOCs) that SharePoint administrators should monitor. These include a known IP address of 65.38.121.198, a file named IIS_Server_dll.dll that serves as a backdoor, and a series of web shells that are used by Storm-2603 to execute remote commands on the server.

How to protect your system from Storm-2603 and Warlock

Given the stealthy nature of Storm-2603 and their ransomware attacks, Microsoft recommends installing the latest security patches, using strong passwords, testing security configurations on a regular basis, and continuously monitoring your SharePoint server for any of the known IOC.

The company also recommends the use of tools within Microsoft Defender, such as Vulnerability Management, External Attack Surface Management (EASM), and an active subscription to Microsoft Defender XDR subscription.

SharePoint continues its battle against hackers

With multiple vulnerabilities disclosed, rapid patch rollouts, and now active ransomware deployments, July has been a critical month for SharePoint users and defenders. While Microsoft continues to issue security fixes, the emergence of new attack vectors suggests that determined adversaries will likely keep probing for weaknesses.

AI isn’t just a buzzword — it’s a weapon in the wrong hands. Learn how attackers are using it and how defenders can stay ahead.

Keep your entertainment at your fingertips with the Amazon Fire TV Stick 4K! Enjoy streaming in 4K Ultra HD with access to top services like Netflix, Prime Video, Disney+, and more. With an easy-to-use interface and voice remote, it’s the ultimate streaming device, now at only $21.99 — that’s 56% off!

With a 4.7/5-star rating from 43,582 reviews and 10K+ bought in the past month, it’s a top choice for home entertainment! Buy Now for $21.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!