Velociraptor leveraged in ransomware attacks
Essential information
- Published
- 09/10/2025 20:09
- Modified
- 10/10/2025 07:33
- Tags
- 2025-10-09 CVE-2025-6264 babuk data exfiltration lockbit open-source tools privilege-escalation ransomware velociraptor vmware warlock windows
- Related entities
- 1 vulnerabilities (cve), 5 observables, 1 intrusion sets (apt), 5 malware
Description
A ransomware attack involving the use of Velociraptor, an open-source digital forensics tool, has been linked to the threat actor Storm-2603. The attackers deployed Warlock, LockBit, and Babuk ransomware to encrypt virtual machines and servers. They exploited a vulnerability in an outdated version of Velociraptor for privilege escalation and persistence. The campaign involved disabling security measures, modifying Group Policy Objects, and using PowerShell scripts for encryption and data exfiltration. The attack bears similarities to Storm-2603's tactics, including the use of multiple ransomware variants and specific techniques like manipulating IIS components and GPOs. The incident highlights the growing trend of threat actors utilizing commercial and open-source tools in their operations.