Attribution and the ransomware cocktail: Talos links the campaign to Storm-2603, a suspected China-based threat actor, citing matching TTPs like the use of ‘cmd.exe’, disabling Defender protections, creating scheduled tasks, and manipulating Group Policy Objects. The use of multiple ransomware strains in a single operation Warlock, LockBit, and Babuk also bolstered confidence in this attribution.”Talos observed ransomware executables on Windows machines that were identified by EDR solutions as LockBit, and encrypted files with the Warlock extension ‘xlockxlock’,” the researchers added. “There was also a Linux binary on ESXi servers flagged as the Babuk encryptor, which achieved only partial encryption and appended files with ‘.babyk’.”Talos researchers added that the presence of Babuk ransomware in this breach is new. Strom-2603 has not publicly been tied to Babuk before this, while their deployment of Warlock and Lockbit in the same attack was previously reported. A double-extortion strategy was also evident from attackers exfiltrating sensitive data using a stealthy PowerShell script, which suppressed progress reporting and included delays to evade sandbox detection. Talos urged defenders to verify the integrity and version of all Velociraptor deployments, ensuring they’re updated to version 0.73.5 or later, which patches the privilege-escalation flaw CVE-2025-6264. The disclosure follows another case this week of legitimate, open-source software being turned maliciousthe earlier involving China-linked hackers weaponizing the Nezha RMM tool to deploy GhostRAT.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4070854/open-source-dfir-velociraptor-was-abused-in-expanding-ransomware-efforts.html
