VERY IMPORTANT

Ransomware operators are using Velociraptor, an open-source digital forensics tool, in their attacks. The activity is attributed to Storm-2603, a China-based threat actor. The attackers deployed Warlock, LockBit, and Babuk ransomware to encrypt VMware ESXi VMs and Windows servers. They installed an outdated version of Velociraptor vulnerable to privilege escalation. The actors modified Active Directory GPOs to impair defenses, deployed a fileless PowerShell encryption script, and exfiltrated data. The campaign involved creating admin accounts, accessing VMware vSphere, and using Smbexec for remote program execution. Mitigation recommendations include following ransomware safeguards and patching ToolShell vulnerabilities.