Full Report
SmarterTools confirmed last week that the Warlock (aka Storm-2603) ransomware gang breached its network by exploiting an unpatched SmarterMail instance. The incident took place on January 29, 2026, when a mail server that was not updated to the latest version was compromised, the company's Chief Commercial Officer, Derek Curtis, said. "Prior to the breach, we had approximately 30 servers/VMs
Analysis Summary
# Incident Report: Warlock Ransomware Breach at SmarterTools
## Executive Summary
On January 29, 2026, SmarterTools experienced a network breach by the Warlock (Storm-2603) ransomware group, exploiting an unpatched instance of their SmarterMail software. The attackers gained initial access, maintained persistence using the Velociraptor tool, and executed an attempted ransomware attack, significantly impacting hosted customers using SmarterTrack. SmarterTools confirmed that core business services remained unaffected.
## Incident Details
- **Discovery Date:** Not explicitly stated, but confirmation occurred "last week" relative to the February 10, 2026 publication date.
- **Incident Date:** January 29, 2026
- **Affected Organization:** SmarterTools
- **Sector:** Software/Technology (Email Server Provider)
- **Geography:** Not disclosed (Implied US based on reporting entity's context)
## Timeline of Events
### Initial Access
- **Date/Time:** January 29, 2026 (or prior)
- **Vector:** Exploitation of an unpatched SmarterMail instance.
- **Details:** Attackers leveraged an unknown SmarterMail vulnerability (potentially **CVE-2026-23760** or **CVE-2026-24423**) on a single, unmanaged/unupdated VM hosting SmarterMail.
### Lateral Movement
- **Date/Time:** Approximately 2-4 days after initial access (Implied early February 2026, based on standard Warlock timeline).
- **Vector:** Active Directory compromise and user creation.
- **Details:** Attackers gained control of the Active Directory server and created new user accounts. This allowed them to move into the broader office network and eventually impact the secondary data center used for QC tests.
### Data Exfiltration/Impact
- **Date/Time:** Approximately 6-7 days after initial access (per CCO statement).
- **Impact:** **Attempted ransomware deployment** and system encryption on approximately 12 Windows servers and the secondary QC data center. Hosted customer environments using SmarterTrack were most affected because they were more accessible post-breach.
- **Mitigation:** Core business services (website, shopping cart, My Account portal) were *not* affected.
### Detection & Response
- **Date/Time:** Not explicitly stated for detection.
- **Response actions taken:** SmarterTools acknowledged the breach and explained the cause (unpatched server). Remediation involved stopping the ransomware deployment and addressing the environmental factors that led to the compromise of hosted customers.
## Attack Methodology
- **Initial Access:** Exploitation of a vulnerable, unpatched SmarterMail server (likely involving **CVE-2026-23760** to bypass authentication and reset administrator passwords, chained with the "Volume Mount" feature for system control).
- **Persistence:** Installation of **Velociraptor** (a legitimate DFIR tool repurposed by the threat actor) via a malicious MSI installer downloaded from Supabase.
- **Privilege Escalation:** Gaining control of the **Active Directory server** to create new users.
- **Defense Evasion:** Utilizing a legitimate C2 tool (Velociraptor) which is known to be used by the group.
- **Credential Access:** Implied through Active Directory takeover.
- **Discovery:** Unknown, but standard for reconnaissance prior to ransomware deployment.
- **Lateral Movement:** Moving from the initial mail server to 12 Windows servers and a secondary QC data center via AD compromise.
- **Collection:** (Implied preparation for data encryption).
- **Exfiltration:** Not explicitly mentioned, but standard for ransomware operations.
- **Impact:** Encryption payload deployment targeting internal servers and hosted customer environments.
*Note: Specific TTPs for Privilege Escalation, Credential Access, Discovery, Collection, and Exfiltration are not detailed in the context, but inferred based on the ransomware deployment and AD compromise.*
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** No specific volume or type of customer account data was compromised; however, internal environment servers were targeted for encryption.
- **Operational:** Impacted hosted customers using SmarterTrack, though the primary organization's core business services were unaffected. Approximately 30 total SmarterMail servers/VMs were in scope, with 12 Windows servers confirmed affected on the office network.
- **Reputational:** SmarterTools issued a confirmation and explanation via their CCO.
## Indicators of Compromise
- **Network indicators (defanged):** Malicious MSI installer downloaded from `Supabase` (legitimate cloud platform abused).
- **File indicators:** `v4.msi` (malicious installer).
- **Behavioral indicators:** Installation and staging of **Velociraptor** framework (a known tool used by Warlock/Storm-2603).
## Response Actions
- **Containment:** Not explicitly detailed, but implied cessation of the ransomware’s execution phase.
- **Eradication:** Unknown cleanup actions taken after identifying the scope of compromise (12 servers and QC environment).
- **Recovery:** Presumably patching all SmarterMail instances (including the forgotten VM) to build 9511 or newer.
## Lessons Learned
- **Criticality of Patch Management:** A single, unmanaged/unupdated VM allowed full network compromise, underlining the risk of configuration sprawl and forgotten assets.
- **Threat Actor Timeline:** The attackers typically wait 6–7 days after initial access before deploying the final payload, meaning security teams must detect staging activity well before encryption occurs.
- **Visibility Gap:** SmarterTools was unaware of one VM hosting production software, highlighting gaps in asset management.
## Recommendations
- Implement a comprehensive, automated asset inventory and configuration management solution to ensure all devices running critical software (like SmarterMail) are tracked and automatically patched.
- Enforce strict segmentation between customer-facing production environments (website, shopping cart) and internal infrastructure/QC testing environments.
- Regularly audit Active Directory configurations and monitor for new user creation outside of standard provisioning processes.
- Review SmarterMail deployment standards to ensure the "forgotten server" scenario cannot recur (e.g., mandated auto-update policies or centralized deployment).