Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack
Warlock ransomware group (tracked as Water Manaul) exploits unpatched Microsoft SharePoint servers to establish persistent access using BYOVD (Bring Your Own Vulnerable Driver) techniques with the NSec driver to disable endpoint security. New remote access tools like TightVNC and Yuze mask lateral movement across networks. Attackers maintain presence for 15 days before deploying LockBit-derived ransomware. This research documents the complete attack chain from initial compromise through web shell installation, credential dumping, network tunneling, and final ransomware deployment.
Related Research
Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed
Analysis of a new ransomware group with adaptive defense evasion — custom-patching anti-AV tools mid-attack based on target recon.
Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques
Discovered Agenda ransomware deploying Linux variants on Windows systems via remote management tools and BYOVD techniques for cross-platform evasion.
Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal
Uncovered Agenda ransomware group adopting SmokeLoader and a new loader named NETXLOADER for improved delivery and evasion.
Cerber Ransomware Exploits Atlassian Confluence Vulnerability CVE-2023-22518
Documented Cerber ransomware operators rapidly weaponizing CVE-2023-22518 in Atlassian Confluence for initial access and encryption deployment.