The Warlock ransomware group has surged into view this year, mounting fast-moving attacks and posting stolen data on its leak site. Security firms now track the group under several names — Microsoft calls it Storm 2603, and Sophos labels the actor GOLD SALEM — and researchers say Warlock combines a standard ransomware playbook with unusual tactics that let it hit larger targets and sell or publish stolen files.
Warlock began activity in early 2025 and accelerated through the summer. Sophos reports the group first moved from quiet forum posts to active extortion in March 2025. In September alone, the group claimed roughly 60 victims on a Tor-hosted “Warlock Client Data Leak Show,” the cartel’s public showcase for pressuring victims to pay or for selling exfiltrated data.
Group Identity and Tracking
Security vendors use several labels for the group:
- Microsoft: Storm 2603.
- Sophos: GOLD SALEM.
- Public name used by the gang: Warlock, deploying a WarLock-branded ransomware variant.
Sophos characterizes the actor as an “emerging group [that] demonstrates competent tradecraft using a familiar ransomware playbook and hints of ingenuity.” The firm also notes indicators that the operation may have ties to China, calling the group “suspected Beijing-backed newcomers.”
Notable Victims and Leak Site Behavior
Warlock’s leak site posts victims and a short note for each listing. The posts are lighter on visual proof than some rivals, often omitting sample images or full timestamps and instead marking whether data is “published,” sold, or if a victim refused to pay.
High-profile claims include:
- Telecoms: Orange (France) and Colt (UK). Warlock said it stole “1 million documents” from Colt and listed an auction for full datasets.
- Aviation: A post names the Star Alliance airlines group; Warlock marked the entry “Published” and claimed buyers obtained parts of the data.
- Range: The gang’s public list spans small commercial and government entities to large multinational firms across North America, Europe, and South America.
Warlock’s leak site also hosts an FAQ that justifies some public releases. In it the group wrote, “We strongly condemn irresponsible companies,” adding that for very large enterprises “stolen information will not be fully disclosed,” while smaller clients may see full publication or sale.
Tactics, Techniques, and Procedures
Sophos and other researchers detail a mix of custom tooling and tried-and-true methods used by Warlock:
- Exploitation Requests: The actor posted on underground forums seeking exploits for enterprise apps such as Veeam, VMware ESXi, and SharePoint, and asked for tools to disrupt endpoint detection and response.
- Zero-Day and Web Shells: In July, Warlock was observed exploiting a SharePoint zero-day that earlier attracted nation-state activity. The group deployed web shells and a ToolShell chain to gain persistence.
- Custom Servers: Researchers observed a Golang-based WebSockets server used for persistence and covert communications.
- Legitimate Tools Abused: Warlock misused Velociraptor for covert tunneling and remote management.
- Credential Theft and Lateral Movement: Mimikatz for credential harvesting, PsExec and Impacket for lateral movement, and Group Policy Objects (GPOs) to push ransomware payloads.
- Data Monetization: The cartel auctions or sells data sets, sometimes publishing parts publicly if ransom talks stall.
Microsoft previously flagged related activity following a SharePoint zero-day exploit chain observed on July 18th; that earlier campaign was linked to another China-aligned actor, showing that multiple groups sought to exploit the same vulnerable servers before or after patches were released.
Timeline and Public Footprint
- March 2025: Warlock begins extortion activity, per Sophos.
- June 2025: First public posts by a Warlock representative on Ramp, a Russian forum, soliciting exploits.
- July 2025: Microsoft and other vendors detect SharePoint exploitation tied to multiple actors; Warlock leverages the same weakness in on-premise SharePoint servers.
- August 2025: Claims against Orange and Colt surface on the gang’s leak site.
- September 2025: Sophos notes roughly 60 victims listed and ongoing sales and publications of stolen data.
Research Findings and Industry Ranking
Sophos ranks Warlock among the top 20 most active ransomware actors over the past 12 months, citing both volume and rapid escalation. The firm highlights the group’s mix of custom tooling and familiar attacker moves as key to its recent success.
Researchers caution that Warlock’s approach — combining forum-sourced exploits, targeted zero-day use, and misuse of legitimate admin tools — makes it adaptable. The group’s public-facing marketplace and selective publication practices help it monetize theft while keeping pressure on victims to negotiate.
What the Gang Says Publicly
Warlock’s leak site mixes sales notices with short statements on victim handling. In one FAQ entry the group said:
“We strongly condemn irresponsible companies. Due to some clients not contacting us, we have chosen to publicly release their data, available for free download by anyone.”
For very large clients with “highly sensitive data,” the group adds, “the stolen information will not be fully disclosed,” implying separate private sale channels or selective handling.
Security vendors base analysis on observed infrastructure, forensic indicators and the gang’s own posts. Microsoft and Sophos have published tracking names and technical notes. In several incidents Warlock’s samples and leak-site postings match forensic traces found in victim environments, supporting the link between the actor and the claims.
