{"id":5306,"date":"2025-10-10T12:01:42","date_gmt":"2025-10-10T12:01:42","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5306"},"modified":"2025-10-10T12:01:42","modified_gmt":"2025-10-10T12:01:42","slug":"open-source-dfir-velociraptor-was-abused-in-expanding-ransomware-efforts","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5306","title":{"rendered":"Open-source DFIR Velociraptor was abused in expanding ransomware efforts"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Velociraptor, the open-source <a href=\"https:\/\/www.csoonline.com\/article\/572351\/ransomware-endpoint-risks-are-top-concerns-for-dfir-professionals.html\" target=\"_blank\" rel=\"noopener\">DFIR<\/a> tool meant to hunt intruders, has itself gone rogue \u2013 being picked up by threat actors in coordinated ransomware operations. Never tied to extortion attacks before, the tool has been found to be abused by a China-based group, Storm-2603, previously known for exploiting Microsoft SharePoint vulnerabilities.<\/p>\n<p>Cisco Talos researchers first spotted the activity in August 2025 while responding to an unnamed multi-vector ransomware incident.<\/p>\n<p>\u201cTalos responded to a ransomware attack by actors who appeared to be affiliated with Warlock ransomware, based on their ransom note and use of Warlock\u2019s data leak site (DLS),\u201d said Talos researchers in a blog post. \u201cThey deployed Warlock, LockBit, and Babuk ransomware to encrypt VMware ESXi virtual machines (VMs) and Windows servers. This severely impacted the customer\u2019s IT environment.\u201d<\/p>\n<p>Talos attributed the activity to the group with moderate confidence, citing \u201coverlapping tools and tactics, techniques and procedures (TTPs)\u201d.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>When a good tool goes rogue<\/h2>\n<p>Velociraptor is typically leveraged by defenders who deploy its agents across Windows, Linux, and macOS systems to continuously collect telemetry and respond to security events. But in this campaign, the attackers used an old, vulnerable version (0.73.4.0) that exposed them to a privilege escalation flaw (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-6264\" target=\"_blank\" rel=\"noopener\">CVE-2025-6264<\/a>), enabling command execution and full endpoint takeover.<\/p>\n<p>The hijacked Velociraptor agents were also, in cases <a href=\"https:\/\/news.sophos.com\/en-us\/2025\/08\/26\/velociraptor-incident-response-tool-abused-for-remote-access\/\" target=\"_blank\" rel=\"noopener\">observed by Sophos\u2019 CTU<\/a>, manipulated to download and execute Visual Studio code, likely to create a tunnel to a command-and-control (C2) server. Talos noted that Velociraptor continued to launch even after an infected host was isolated, highlighting the tool\u2019s role in maintaining persistence within compromised systems.<\/p>\n<p>\u201cVelociraptor played a significant role in this campaign, ensuring the actors maintained stealthy persistent access while deploying LockBit and Babuk ransomware,\u201d Talos researchers added. \u201cThe addition of this tool in the ransomware playbook is in line with findings from Talos\u2019 \u2018<a href=\"https:\/\/blog.talosintelligence.com\/2024yearinreview\/\" target=\"_blank\" rel=\"noopener\">2024 Year in Review<\/a>,\u2019 which highlights that threat actors are utilizing an increasing variety of commercial and open-source products.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Attribution and the ransomware cocktail<\/h2>\n<p>Talos links the campaign to Storm-2603, a suspected China-based threat actor, citing matching TTPs like the use of \u2018cmd.exe\u2019, disabling Defender protections, creating scheduled tasks, and manipulating Group Policy Objects. The use of multiple ransomware strains in a single operation \u2013 Warlock, LockBit, and Babuk \u2013 also bolstered confidence in this attribution.<\/p>\n<p>\u201cTalos observed ransomware executables on Windows machines that were identified by EDR solutions as LockBit, and encrypted files with the Warlock extension \u2018xlockxlock\u2019,\u201d the researchers added. \u201cThere was also a Linux binary on ESXi servers flagged as the Babuk encryptor, which achieved only partial encryption and appended files with \u2018.babyk\u2019.\u201d<\/p>\n<p>Talos researchers added that the presence of Babuk ransomware in this breach is new. Strom-2603 has not publicly been tied to Babuk before this, while their deployment of Warlock and Lockbit in the same attack was previously <a href=\"https:\/\/www.trendmicro.com\/ru_ru\/research\/25\/h\/warlock-ransomware.html\" target=\"_blank\" rel=\"noopener\">reported<\/a>. A double-extortion strategy was also evident from attackers exfiltrating sensitive data using a stealthy PowerShell script, which suppressed progress reporting and included delays to evade sandbox detection. <\/p>\n<p>Talos urged defenders to verify the integrity and version of all Velociraptor deployments, ensuring they\u2019re updated to version 0.73.5 or later, which patches the privilege-escalation flaw CVE-2025-6264. The disclosure follows another case this week of legitimate, open-source software being turned malicious\u2013the earlier involving China-linked hackers <a href=\"https:\/\/www.csoonline.com\/article\/4069515\/open-source-monitor-turns-into-an-off-the-shelf-attack-beacon.html\">weaponizing the Nezha RMM<\/a> tool to deploy GhostRAT.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Velociraptor, the open-source DFIR tool meant to hunt intruders, has itself gone rogue \u2013 being picked up by threat actors in coordinated ransomware operations. Never tied to extortion attacks before, the tool has been found to be abused by a China-based group, Storm-2603, previously known for exploiting Microsoft SharePoint vulnerabilities. Cisco Talos researchers first spotted [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5307,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5306","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5306"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5306"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5306\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5307"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5306"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}