Ransomware operators are using Velociraptor, an open-source digital forensics tool, in their attacks. The activity is attributed to Storm-2603, a China-based threat actor. The attackers deployed Warlock, LockBit, and Babuk ransomware to encrypt VMware ESXi VMs and Windows servers. They installed an outdated version of Velociraptor vulnerable to privilege escalation. The actors modified Active Directory GPOs to impair defenses, deployed a fileless PowerShell encryption script, and exfiltrated data. The campaign involved creating admin accounts, accessing VMware vSphere, and using Smbexec for remote program execution. Mitigation recommendations include following ransomware safeguards and patching ToolShell vulnerabilities. Author: AlienVault
Related Tags:
velociraptor
cve-2025-6264
Warlock
Vasa Locker
Babyk
Babuk – S0638
data-exfiltration
privilege-escalation
babuk
Associated Indicators:
409A8FE50DEB42FC7AFC526816FD037F1BF2D709
9CD740D0DE919819AD00F73665C40500
65.38.121.226