Hackers Turn Velociraptor Tool Into Ransomware Weapon
Hackers are abusing the Velociraptor DFIR tool to launch ransomware attacks. A new report revealed that a group called Storm-2603 has used this open-source security tool to deliver multiple ransomware strains, including LockBit, Warlock, and Babuk.
However, the group didn’t exploit a flaw in Velociraptor itself. Instead, it used a vulnerable version of the software alongside other exploits to gain full system control. This tactic shows how cybercriminals can repurpose legitimate tools for malicious operations.
How the Attack Began
The attackers exploited known SharePoint vulnerabilities to gain access to corporate systems. Once inside, they installed an older version of Velociraptor that contained a privilege escalation flaw.
Therefore, they were able to execute arbitrary commands and move laterally across the network. Reports noted that attackers created domain admin accounts, used remote execution tools, and disabled real-time protection to avoid detection.
Before launching ransomware, the attackers modified Active Directory policies and tampered with Group Policy Objects. This gave them control over system settings and defenses.
Multi-Ransomware Strategy
The group behind the attacks used Velociraptor to manage infected systems. They then deployed multiple ransomware families: LockBit, Warlock, and Babuk, within hours of each other.
This strategy aims to confuse investigators and make attribution difficult. For example, deploying multiple variants allows them to mask their identity and spread faster.
According to reports, Storm-2603 appears highly organized, working with short 48-hour development cycles and a clear command structure. This efficiency suggests strong resources and professional-level coordination.
Possible Links to Nation-State Actors
Researchers found clues connecting Storm-2603 to state-sponsored hacking groups. For example, timestamps from compiled ransomware match China Standard Time. The group also uses strict operational security techniques, such as removing timestamps and altering expiration mechanisms.
Moreover, similarities in domains, contact details, and coding practices suggest a shared command-and-control structure across LockBit, Warlock, and Babuk. Therefore, these links point toward a centralized and well-funded operation rather than a random ransomware crew.
The Role of Velociraptor in the Attacks
Experts clarified that Velociraptor itself is not faulty. Instead, it was misused as part of a broader hacking toolkit. The attackers exploited its legitimate ability to collect and orchestrate data to move inside corporate networks.
This mirrors a common trend where hackers weaponize trusted security tools. Therefore, organizations must monitor how even approved software behaves inside their environment.
How to Prevent Similar Attacks
To reduce the risk of similar intrusions, companies should patch vulnerabilities quickly, especially in widely used platforms like SharePoint. Implementing endpoint protection with behavioral monitoring can also help detect misuse of legitimate tools.
Additionally, using advanced threat intelligence and real-time incident response systems can identify lateral movement and privilege escalation attempts early. These cybersecurity solutions provide automated alerts and isolation, stopping attackers before they deploy ransomware.
Sleep well, we got you covered.
