Fast Facts
- Threat actors are exploiting Velociraptor, an open-source DFIR tool, during ransomware campaigns linked to Storm-2603, which deploys Warlock, LockBit, and Babuk ransomware.
- They initially gain access via SharePoint vulnerabilities, then escalate privileges and move laterally, modifying AD Group Policies and disabling defenses to evade detection.
- Storm-2603 exhibits sophisticated, nation-state-level tactics, including operational security measures, rapid development cycles, and infrastructure linked to Chinese actors.
- The group’s evolution from LockBit to multi-ransomware deployment, combined with advanced development practices, underscores a highly organized, flexible threat actor with military-grade capabilities.
The Core Issue
In 2025, a sophisticated threat actor identified as Storm-2603, possibly linked to Chinese nation-state actors, utilized Velociraptor, a legitimate open-source digital forensics tool, in a series of complex cyberattacks involving ransomware. These attackers exploited vulnerabilities in on-premises SharePoint, specifically the ToolShell exploit, to gain initial access to target systems, then deployed an outdated Velociraptor version susceptible to privilege escalation, enabling them to manipulate systems and escalate their privileges within networks. Their operations included creating admin accounts, lateral movement within networks, modifying Active Directory policies, disabling security defenses, and deploying multiple ransomware strains, such as Warlock, LockBit, and Babuk, often with the aim of encrypting sensitive data and evading detection through fast development cycles, operational security measures, and shared infrastructure. These activities, reported by security firms like Sophos, Cisco Talos, and Rapid7, reveal a highly organized, persistent effort indicative of nation-state-level sophistication, with the attackers demonstrating both technical innovation and strategic planning to maximize disruption and conceal their origins.
The story is reported by cybersecurity organizations monitoring and analyzing these attacks, emphasizing the threat actors’ use of legitimate tools for malicious purposes and their evolving tactics, which include leveraging zero-day exploits and deploying multiple ransomware families in rapid succession to create confusion and hinder attribution. The attackers’ systematic approach—highlighted by their structured development timeline, exploitation of vulnerabilities, and operational security measures—suggests a well-resourced and disciplined group capable of adapting quickly, with possible ties to Chinese state-sponsored hacking units. This complex campaign underscores the ongoing challenge for organizations to defend against highly coordinated cyber threats that blend legitimate cybersecurity tools with advanced hacking techniques to achieve strategic objectives.
Critical Concerns
Cyber risks stemming from malicious exploitation of tools like Velociraptor underscore the profound vulnerabilities faced by modern organizations. Threat actors, notably associated with advanced groups such as Storm-2603—linked to Chinese state-sponsored efforts—utilize these legitimate-forensic utilities to orchestrate complex ransomware campaigns involving LockBit, Warlock, and Babuk, often leveraging zero-day exploits like ToolShell to breach defenses. These operations involve meticulous lateral movement, privilege escalation, and manipulation of Active Directory settings, allowing attackers to disable security protections, exfiltrate sensitive data, and deploy destructive payloads that can cripple organizational infrastructure. The sophisticated, organized nature of these campaigns demonstrates an alarming escalation in threat actor capabilities, blurring the line between cybercriminality and state-sponsored espionage, posing serious and persistent risks to enterprise security, operational continuity, and data integrity.
Possible Remediation Steps
In the rapidly evolving landscape of cybersecurity threats, swift and effective remediation is paramount in minimizing damage and preventing future attacks. When hackers turn tools like Velociraptor into malicious weapons within LockBit ransomware attacks, the stakes are even higher, making prompt action critical to safeguard data and infrastructure.
Containment Measures
Immediately isolate affected systems to prevent further spread of the malware.
Threat Identification
Conduct thorough forensic analysis to determine the extent of compromise and identify malicious activity.
Revise Security Protocols
Update and strengthen access controls, and disable any compromised accounts or services.
Patching & Updates
Apply all relevant security patches to vulnerable systems to close exploited entry points.
Malware Removal
Use specialized tools to clean infected machines, ensuring all malicious artifacts are eradicated.
Monitoring & Detection
Enhance monitoring for unusual activity, and deploy intrusion detection systems to alert on future anomalies.
Communication & Reporting
Notify stakeholders and, where required, report the incident to authorities to ensure transparency and compliance.
Recovery & Validation
Restore systems from clean backups and verify integrity before resuming normal operations.
Continue Your Cyber Journey
Stay informed on the latest Threat Intelligence and Cyberattacks.
Explore engineering-led approaches to digital security at IEEE Cybersecurity.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
