Microsoft Says SharePoint Attacks Now Include Ransomware

A China-linked threat actor has been observed exploiting SharePoint servers to deliver Warlock ransomware, according to researchers at the tech giant.

A China-linked threat actor has been observed exploiting SharePoint servers to deliver ransomware, according to Microsoft researchers, in the latest sign of worsening impacts from the widespread attacks targeting on-premises SharePoint Server customers.

In an update to Microsoft’s threat intelligence blog on the wave of attacks, the researchers disclosed new evidence of ransomware deployment against SharePoint Server customers that can be connected to a China-based threat actor, which is tracked as Storm-2603.

[Related: Victims Mounting In Microsoft SharePoint Attacks: Researchers]

The threat actor had previously been identified by Microsoft as being involved in the “ToolShell” SharePoint attacks. But researchers updated the blog Wednesday evening to note that Storm-2603 has been observed delivering Warlock ransomware as part of its activity exploiting vulnerabilities in on-premises SharePoint servers.

“Starting on July 18, 2025, Microsoft has observed Storm-2603 deploying ransomware using these vulnerabilities,” the researchers wrote.

The threat actor has previously been known to deploy both Warlock and LockBit ransomware, Microsoft’s threat research team said.

Two other Chinese nation-state threat groups, tracked as Linen Typhoon and Violet Typhoon, have also been observed exploiting the SharePoint Server vulnerabilities, according to Microsoft. Linen Typhoon primarily targets theft of intellectual property while Violet Typhoon focuses on espionage, the researchers have said.

“Additional actors will continue to use these exploits to target unpatched on-premises SharePoint systems, further emphasizing the need for organizations to implement mitigations and security updates immediately,” Microsoft researchers said in the post.

Cybersecurity vendor Eye Security—which is credited with first disclosing the SharePoint Server attacks late last week—said Wednesday that it has discovered compromises of more than 400 SharePoint systems so far across multiple waves of attacks.

Victims of the attacks have included multiple U.S. government agencies, according to media reports. Following a Bloomberg report, the Department of Energy confirmed Wednesday that it was impacted by the attacks, with the National Nuclear Security Administration among the agencies affected.

Microsoft has released all patches for on-premises SharePoint Servers to protect against the wave of compromises, but attackers will be looking to exploit the vulnerabilities for months to come, researchers have told CRN.

In part, that’s because patching is not sufficient to evict the threats, with rotation of machine keys being another essential step to ensure attackers no longer have access to systems, the experts said.

“This is not a situation where you patch and you’re done,” said Nick Hyatt, senior threat intelligence analyst at Herndon, Va.-based GuidePoint Security, in a previous interview with CRN.