.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Video Summary: WARLOCK – Rapid Rise of an Emerging Ransomware Group
00:06 Introduction
Welcome to our Cyber Shorts series with Sophos, a LinkedIn Live series focused on trending cybersecurity topics.
In this episode, we share insights to help organizations better understand and defend against cyber threats.
00:21 Meet the speakers
I’m Susie Evershed, joined by Keith Jarvis, Principal Threat Researcher at Sophos.
Today’s discussion focuses on the emergence of the WARLOCK ransomware group and what makes them notable.
00:30 Why WARLOCK matters
Sophos recently published research on WARLOCK, covering the group’s appearance on underground forums, its rapid adoption of Microsoft SharePoint vulnerabilities, and observed attacks in customer telemetry.
While many new ransomware groups appear every month, WARLOCK stands out because of how quickly it developed into an active and capable threat.
01:16 From new group to active operator
WARLOCK began activity in March and quickly evolved into a more established ransomware operator.
The group initially distributed LockBit ransomware before later using SharePoint vulnerabilities to gain access to enterprise environments and deploy its own attacks.
02:02 GOLD SALEM attribution
Sophos tracks this group as GOLD SALEM in its blog and threat profiles.
To date, the group has published around 60 victims, placing it in the middle tier of ransomware activity compared with more prolific groups such as Akira and Qilin.
02:34 Rapid adoption of SharePoint exploits
What drew significant attention to WARLOCK was its quick use of SharePoint vulnerabilities disclosed in July.
It was one of the first overtly cybercriminal groups observed using those flaws to deploy ransomware, showing a fast and effective operational model.
03:16 Why exploit speed matters
WARLOCK’s activity reflects a broader ransomware trend: rapidly exploiting newly disclosed or poorly patched vulnerabilities in internet-facing systems.
This allows threat actors to gain access at scale before organizations can fully remediate affected environments.
04:17 Questions around attribution
Microsoft suggested in July that WARLOCK operators may have a China nexus, though not necessarily any direct government connection.
Sophos notes that some tooling and techniques feel familiar, but there is not yet enough evidence to independently confirm that attribution.
05:36 Unusual victim targeting
One especially interesting aspect of the group’s activity is its targeting.
In early September, WARLOCK reportedly targeted a Russian victim, which is highly unusual in the ransomware ecosystem, where many groups typically avoid Russian and CIS organizations.
07:00 Why the targeting stands out
Attacking Russian organizations is rare and may suggest the group is not Russia-based, or is unusually bold if it is.
The group also targeted a Taiwanese company, adding to questions about its origins, motives, and broader strategic interests.
07:35 Key security protections
Organizations should focus on aggressive patch management, especially for internet-facing applications and devices.
When patches are released, teams should move quickly to remediate vulnerabilities and verify systems have not already been compromised.
08:30 Visibility and early detection
Because zero-day vulnerabilities are difficult to prevent entirely, visibility is critical.
Security instrumentation on exposed systems, especially servers like SharePoint, can help detect suspicious activity early and stop attacks before ransomware is deployed.
09:09 Strong authentication and detection tools
Multi-factor authentication should be enforced on all credentialed access, especially management interfaces exposed to the internet.
EDR and XDR capabilities are also essential for correlating endpoint, firewall, and appliance telemetry to identify attacks in progress.
09:42 Common tactics used by the WARLOCK group
WARLOCK uses a broad toolkit to gain and maintain access, including web shells, tunneling tools, and custom backdoors.
The group also uses credential theft, lateral movement, file discovery, exfiltration, and remote deployment tools in ways that will feel familiar to organizations that have dealt with ransomware incidents before.
10:59 Effective rather than flashy
The group’s tradecraft is not especially novel, but it is competent and effective.
Its success comes from solid execution, rapid adaptation, and the ability to use proven ransomware techniques at speed.
11:15 Closing
Thank you for joining this Cyber Shorts episode.
Stay tuned for future episodes, and for more insights be sure to read our blog and follow our social channels.