Warlock Ransomware Group Enhances Attack Techniques with BYOVD and Remote Access Tools
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
The Warlock ransomware group, also known as Water Manaul, has escalated its attack methods by exploiting unpatched Microsoft SharePoint servers and employing new tactics for persistence and lateral movement. Recent investigations revealed that Warlock has integrated a Bring Your Own Vulnerable Driver (BYOVD) technique targeting the NSec driver, enhancing its ability to evade detection. The group primarily targets the technology, manufacturing, and government sectors across the US, Germany, and Russia. Their toolkit now includes TightVNC for remote access and Yuze as a reverse proxy, allowing for stealthy operations within victim networks. In early January 2026, Warlock operators spent 15 days in a victim's network before deploying ransomware, indicating a significant shift towards prolonged infiltration strategies. The ransomware deployed has a .x2anylock extension and is derived from LockBit. The expanded toolset allows for multiple command-and-control channels that blend with legitimate traffic, showcasing the group's commitment to operational resilience. The attack methods and tools used by Warlock pose a serious threat to organizations still using vulnerable SharePoint servers.
Key Points: • Warlock ransomware exploits unpatched Microsoft SharePoint servers for initial access. • New BYOVD technique targets the NSec driver for enhanced evasion and persistence. • The group has expanded its toolkit to include TightVNC and Yuze for stealthy operations.