Warlock Ransomware Group Enhances Attack Techniques with BYOVD and Remote Access Tools

Warlock Ransomware Group Enhances Attack Techniques with BYOVD and Remote Access Tools

First seen 16 Mar 2026, 18:22 UTC TrendmicroDarkreadingRescana 93% similarity 71.5

Article Content

Browse articles
ThreatCluster

The Warlock ransomware group, also known as Water Manaul, has escalated its attack methods by exploiting unpatched Microsoft SharePoint servers and employing new tactics for persistence and lateral movement. Recent investigations revealed that Warlock has integrated a Bring Your Own Vulnerable Driver (BYOVD) technique targeting the NSec driver, enhancing its ability to evade detection. The group primarily targets the technology, manufacturing, and government sectors across the US, Germany, and Russia. Their toolkit now includes TightVNC for remote access and Yuze as a reverse proxy, allowing for stealthy operations within victim networks. In early January 2026, Warlock operators spent 15 days in a victim's network before deploying ransomware, indicating a significant shift towards prolonged infiltration strategies. The ransomware deployed has a .x2anylock extension and is derived from LockBit. The expanded toolset allows for multiple command-and-control channels that blend with legitimate traffic, showcasing the group's commitment to operational resilience. The attack methods and tools used by Warlock pose a serious threat to organizations still using vulnerable SharePoint servers.

Key Points: • Warlock ransomware exploits unpatched Microsoft SharePoint servers for initial access. • New BYOVD technique targets the NSec driver for enhanced evasion and persistence. • The group has expanded its toolkit to include TightVNC and Yuze for stealthy operations.

ThreatCluster AI

Timeline

2025-07-08
CVE-2025-49706 published; added to CISA KEV for active exploitation
2025-07-20
CVE-2025-53771 published
2025-07-20
CVE-2025-53770 published
2025-07-22
CVE-2025-49704 added to CISA KEV for active exploitation
2026-01-05
Warlock operators spent 15 days in a victim's network
2026-03-16
Trend Micro publishes detailed report on Warlock's tactics
2026-03-17
Darkreading reports on Warlock's enhanced post-exploitation techniques

Community

Browse all →