Cybersecurity researchers are sounding the alarm over a fast-growing ransomware operation called Warlock. According to a detailed report by Sophos, this group—also tracked as Gold Salem by Sophos and Storm-2603 by Microsoft—has quickly gained notoriety in the cybercrime world.

Sophos warns that Warlock “could be the most worrying new strain” in recent years. Since first being detected in March 2025, the group has breached more than 60 organizations. What makes the campaign particularly concerning is not just the number of victims but also the group’s sophistication. In just months, Warlock has successfully exploited SharePoint vulnerabilities using a custom ToolShell chain, leveraged legitimate tools like Velociraptor for covert tunneling, deployed Mimikatz for credential theft, and used PsExec/Impacket and GPOs to spread ransomware payloads.

The attackers have also acquired exploits and stolen access credentials from underground forums, despite having no prior public presence.

Attribution, however, remains uncertain. While Microsoft describes Warlock as a “China-based actor,” Sophos believes the evidence is inconclusive. What is clear is that the group has targeted diverse industries and countries worldwide—while deliberately avoiding Russian and Chinese organizations.

One exception stands out: a single Russian company has recently been listed on Warlock’s data leak site. Sophos suggests this points to the group operating outside Russia’s jurisdiction or sphere of influence. Out of more than 60 known victims, the group claims to have sold stolen data from 27 of them (around 45%) to private buyers. Interestingly, only 32% of cases involved public data leaks, which could imply that the remainder either paid ransoms or had their data traded discreetly.

Still, Sophos cautions that Warlock’s claims may be inflated or fabricated. As the report notes, ransomware operators often exaggerate their impact to appear more dangerous and enhance their credibility.