Ransomware gangs have escalated their targeting of Microsoft SharePoint servers, compromising over 400 organizations globally through coordinated attacks that exploit critical vulnerabilities in enterprise collaboration platforms. The campaign, which intensified in mid-July 2025, has affected government agencies, educational institutions, healthcare systems, and major corporations across multiple sectors.
Microsoft confirmed active ransomware deployment on July 18, 2025, identifying Storm-2603 as a primary threat actor responsible for distributing Warlock ransomware. Additional groups, including Chinese state-backed actors Linen Typhoon and Violet Typhoon, have participated in these attacks alongside Lockbit ransomware operators.
Storm-2603, characterized as a likely China-based criminal organization, has emerged as a particularly aggressive participant in the campaign.
Attackers exploit CVE-2025-49704, a remote code execution vulnerability, and CVE-2025-49706, a spoofing flaw, to gain initial access to SharePoint servers. More concerning, cybercriminals have developed bypass techniques using CVE-2025-53770 and CVE-2025-53771 to circumvent recent Microsoft security patches. This ToolShell vulnerability chain permits lateral movement within compromised networks and promotes ransomware deployment even on recently updated systems. The attackers establish persistence through the spinstall0.aspx web shell, which provides continued access to compromised SharePoint environments.
Current exposure statistics reveal approximately 11,000 internet-facing SharePoint instances globally, with 600 located in the United Kingdom. Security researchers identified 424 SharePoint installations as vulnerable to the latest exploited vulnerabilities by late July 2025. The attacks follow arranged patterns, beginning with reconnaissance scans before widespread ransomware distribution.
Microsoft’s patching efforts face significant limitations, particularly affecting SharePoint Server 2016, which lacked immediate security fixes during peak attack periods. The company released partial patches for newer versions, but attackers continue exploiting chained vulnerabilities to bypass recently installed protections. The National Nuclear Security Administration emerged as the only confirmed victim organization publicly identified in the United States, though security officials indicate additional federal and state agencies remain under investigation.
Cybersecurity experts classify this exploitation campaign as a “high-severity, high-urgency threat” owing to its scope and persistence. The campaign demonstrates evolving ransomware tactics, where threat actors combine nation-state techniques with criminal objectives. Initial compromise affects over 100 organizations, with numbers increasing daily as security teams identify additional victims.
Microsoft’s intelligence division continues investigating potential involvement of unidentified groups while updating threat actor attributions as new evidence emerges from ongoing analysis.
