The Warlock ransomware group (also tracked as Water Manaul) has significantly enhanced its post-exploitation capabilities in recent attacks. While continuing to exploit unpatched Microsoft SharePoint servers for initial access, the group now employs a new BYOVD technique targeting the NSecKrnl.sys driver to disable security products at the kernel level, deploys TightVNC for persistent remote access, and uses the Yuze reverse proxy tool to blend malicious traffic with legitimate network activity. Trend Micro researchers observed a January attack where the group spent 15 days inside a victim network before deploying ransomware. Defenders are advised to patch SharePoint vulnerabilities immediately, enforce MFA, monitor for anomalous driver activity, and watch for abuse of legitimate admin tools.
Table of contents
Rapid Evolution of a Nascent GroupWarlock's Post-Exploitation Activity EnhancementsDefending Against WarlockSort: