The Warlock ransomware group, also known as Water Manaul, has significantly updated its attack chain with advanced persistence and evasion techniques. Initially gaining access through vulnerable Microsoft SharePoint servers, the group now utilizes a diverse toolkit including TightVNC for GUI-based remote access, Yuze for reverse proxying, and VS Code for covert C&C tunneling. Their operations are characterized by long dwell times, often timing attacks during holiday periods to exploit reduced staffing levels.
A critical component of Warlock's new strategy is a persistent Bring Your Own Vulnerable Driver (BYOVD) technique. By leveraging the NSecKrnl.sys driver, the attackers can terminate security software at the kernel level, effectively blinding defenders before deploying ransomware. The final payload is distributed enterprise-wide via Active Directory Group Policy Objects (GPO), ensuring maximum impact through automated execution across all domain-joined systems.
Top comments (0)