VERY IMPORTANT

This analysis examines the evolving tactics of the GOLD SALEM cybercrime group in deploying Warlock ransomware over a six-month period across 11 incidents. The group exploited SharePoint vulnerabilities for initial access and utilized tools like Velociraptor, VMTools AV killer, and Cloudflared for various attack stages. They targeted multiple sectors, with a focus on IT, industrial, and technology. The group used Warlock, LockBit, and Babuk ransomware variants, often naming executables after victim organizations. Evidence suggests possible Chinese origins, though the group appears primarily financially motivated. GOLD SALEM demonstrated advanced technical abilities, including zero-day exploitation and repurposing of legitimate tools.