Full Report
We have identified new tactics, techniques, and procedures (TTPs) used by the Warlock ransomware group (tracked by TrendAI™ as Water Manaul). In our previous article, we detailed how Warlock exploited unpatched Microsoft SharePoint servers to deploy LockBit-derived ransomware with the .x2anylock extension, using Cloudflare tunnels for command and control (C&C) and Rclone for data exfiltration. Warlock’s method of initial access to victim networks has remained consistent; however, it has added new techniques to enhance its persistence, lateral movement, and defense evasion. These new observations include the usage of TightVNC (a remote access tool) to maintain persistent control, abuse of new open-source tools to conduct C&C communications, and a persistent Bring Your Own Vulnerable Driver (BYOVD) technique that leverages a vulnerability in the NSec driver.
Analysis Summary
# Threat Actor: Warlock
## Attribution & Identity
- **Name:** Warlock
- **Tracking Alias:** Water Manaul (TrendAI™)
- **Associations:** Utilizes LockBit-derived ransomware.
## Activity Summary
Warlock is a sophisticated ransomware group that has recently evolved its tactics to increase operational resilience. Recent campaigns (late 2025 to early 2026) show the group spending approximately 15 days within a network before encryption. They are known for exploiting unpatched server software and timing attacks during holiday periods to exploit reduced staffing levels.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploitation of unpatched internet-facing Microsoft SharePoint servers.
- **Persistence:**
- Deployment of **TightVNC** as a silent Windows service via PsExec.
- Use of **Velociraptor** as a primary C&C framework.
- **Lateral Movement:** Abuse of **PsExec** and **GPO** (Group Policy Objects) for domain-wide tool deployment.
- **Defense Evasion:**
- **BYOVD (Bring Your Own Vulnerable Driver):** Exploiting the `NSecKrnl.sys` driver to terminate security software at the kernel level.
- **DLL Sideloading:** Using a legitimate Microsoft Edge binary (`MsMpSrv.exe`) to load malicious code.
- **Traffic Masking:** Using VS Code tunnels and Cloudflare tunnels to blend with legitimate web traffic.
- **Exfiltration:** Use of **Rclone** (often renamed as `TrendSecurity.exe`) to exfiltrate data.
- **Encryption:** Deployment of LockBit-derived ransomware with extensions such as `.x2anylock` or `.LOCKJ`.
## Targeting
- **Sectors:** Technology, Manufacturing, Government, and Education.
- **Geography:** United States (US), Germany, Russia, and the United Kingdom (UK).
- **Victims:** Organizations utilizing internet-facing SharePoint servers.
## Tools & Infrastructure
- **Malware:** LockBit-derived ransomware, Cobalt Strike.
- **Remote Access/C2:**
- TightVNC, Velociraptor, VS Code Tunnels, Cloudflare Tunnels.
- **Yuze:** Lightweight C-based reverse proxy for SOCKS5 connections.
- **Drivers:** `NSecKrnl.sys` (for BYOVD), formerly `googleApiUtil64.sys`.
- **Infrastructure:**
- `code[.]translatevv[.]com`
- Ports: 80, 443, 53 (used by Yuze).
## Implications
Warlock has demonstrated a shift toward "operational resilience" by maintaining multiple, redundant C&C channels. Their move to kernel-level defense evasion (BYOVD) and the use of legitimate developer tools (VS Code/Cloudflare tunnels) makes detection significantly more difficult for standard EDR solutions. Their 15-day "dwell time" suggests a methodical approach to data theft prior to encryption.
## Mitigations
- **Patch Management:** Prioritize critical patches for Microsoft SharePoint and other internet-facing applications.
- **Driver Blocking:** Implement Microsoft’s recommended vulnerable driver blocklist to prevent BYOVD attacks.
- **Service Monitoring:** Audit the creation of new Windows services, particularly those involving remote access tools like TightVNC or Velociraptor.
- **Network Traffic Analysis:** Inspect outbound connections to known tunneling services (Cloudflare, VS Code) and look for unusual SOCKS5 proxy activity on ports 80, 443, or 53.
- **Specific Hunting:** Search for the presence of `Rclone` renamed as legitimate security binaries (e.g., `TrendSecurity.exe`).