- Warlock Ransomware Group has compromised more than 60 victims since its release in March 2025
- Sophos highlights advanced tactics, including SharePoint exploits, tunneling and identification theft
- The group claims to have sold stolen data of 45% of victims to private buyers
Security researchers warned against a new ransomware operation making a name for themselves, fairly quickly.
Sophos detailed the works of a group called Warlock – although different analysts have given the group different names, so Warlock is also followed as Gold Salem by Sophos, or Storm -2603 by Microsoft.
Sophos says that “could be the new most disturbing strain” which has emerged for some time, because they have managed to compromise more than 60 victims since March 2025, when it was observed for the first time.
Is Warlock a Chinese player?
It is not only the number of victims who are worried here. The group’s operations “reflect both skills and audacity” because, in a few months, they have managed to exploit SharePoint vulnerabilities with a personalized chain of tools, abuse legitimate tools such as Velociraptor for secret tunneling, the deployment of Mimikatz for the identification flight, the Psexec / Impact for lateral movements and GPOs Ransomware payment.
They also managed to solicit exploits and access from underground forums despite no prior public imprint.
The attribution is however quite delicate. Microsoft refers to Warlock as an “actor based in China”, but Sophos maintains that the evidence is not conclusive. However, the group has been observed targeting all kinds of organizations, all kinds of countries and verticals, but they have skillfully avoided targeting Russian and Chinese organizations.
However, there is an aberrant value – a single Russian entity has recently been added to the group’s data leak site. For Sophos, this information suggests that the group operates outside the jurisdiction or the sphere of influence of Russia.
However, out of the 60+ victims that the group added to its site, it claims to have stolen data from 27 to private buyers (around 45%).
What is notable here is that only 32% of the victims have publicly disclosed the data, which suggests that the rest may have paid or have been selling their data in private.
Sophos also underlines that the 45% complaint can be inflated or downright manufactured, because ransomware groups often exaggerate their impact to stimulate credibility and inspire fear.
