The Warlock ransomware group exploited unpatched Microsoft SharePoint servers to gain initial access and deploy ransomware across enterprise environments. The attack chain involved exploiting vulnerabilities, privilege escalation through Group Policy modification, credential theft using Mimikatz, lateral movement via SMB, and eventual ransomware deployment. Files were encrypted with a .x2anylock extension and data exfiltrated using RClone. The campaign targeted organizations globally across various industries. Warlock appears to be derived from leaked LockBit 3.0 code and employs sophisticated evasion techniques like DLL sideloading. The attack highlights the dangers of delayed patching and the importance of layered defenses.