Threat Actor Profile
Medium
Cybercriminal
Description
The Warlock ransomware and operator(s) are believed to be attributed to Storm-2603, a China-based threat actor who is also known to have deployed LockBit ransomware. There's also a crossover between victims with Black Basta. Both are RaaS and have a long list of known and unknown affiliates. Having said that, this is possibly an affiliate (likely a cybergroup) of both of those groups. The Alliance & Association would technically be Encryptor Sharing, but this is realistically more of an "Old Affiliate" that created their own ransomware encryptor and operation.
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': '2025-06-10',
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'The Warlock ransomware and operator(s) are believed to be '
'attributed to Storm-2603, a China-based threat actor who is '
"also known to have deployed LockBit ransomware. There's also "
'a crossover between victims with Black Basta. Both are RaaS '
'and have a long list of known and unknown affiliates. Having '
'said that, this is possibly an affiliate (likely a '
'cybergroup) of both of those groups. The Alliance & '
'Association would technically be Encryptor Sharing, but this '
'is realistically more of an "Old Affiliate" that created '
'their own ransomware encryptor and operation.',
'firstseen': '2025-04-02T00:00:00+00:00',
'group': 'warlock',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2025-11-06T07:45:49.301773+00:00',
'locations': [{'available': False,
'fqdn': 'zfytizegsze6uiswodhbaalyy5rawaytv2nzyzdkt3susbewviqqh7yd.onion',
'slug': 'http://zfytizegsze6uiswodhbaalyy5rawaytv2nzyzdkt3susbewviqqh7yd.onion',
'title': 'WarLock Client Data Leak Show',
'type': 'DLS'},
{'available': False,
'fqdn': 'ocwjy4ynmpbbzhumh2ama2vl3bc77lf5auqf7nf4k45lbmzoep2rbyid.onion',
'slug': 'http://ocwjy4ynmpbbzhumh2ama2vl3bc77lf5auqf7nf4k45lbmzoep2rbyid.onion',
'title': '',
'type': 'Files'},
{'available': False,
'fqdn': 'elqfbcx5nofwtqfookqml7ltx2g6q6tmddys6e25vgu3al2meim6cbqd.onion',
'slug': 'http://elqfbcx5nofwtqfookqml7ltx2g6q6tmddys6e25vgu3al2meim6cbqd.onion',
'title': 'Warlock Client Leaked Data Show',
'type': 'DLS'},
{'available': True,
'fqdn': 'warlockhga5iw3t54ps5iytlilf7hlvxy7kwrkidspn4qoh64s4vsuyd.onion',
'slug': 'http://warlockhga5iw3t54ps5iytlilf7hlvxy7kwrkidspn4qoh64s4vsuyd.onion',
'title': 'WarLock Client Data Leak Show',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 2,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'zfytizegsze6uiswodhbaalyy5rawaytv2nzyzdkt3susbewviqqh7yd.onion',
'slug': 'http://zfytizegsze6uiswodhbaalyy5rawaytv2nzyzdkt3susbewviqqh7yd.onion',
'title': 'WarLock Client Data Leak Show',
'type': 'DLS'},
{'available': False,
'fqdn': 'ocwjy4ynmpbbzhumh2ama2vl3bc77lf5auqf7nf4k45lbmzoep2rbyid.onion',
'slug': 'http://ocwjy4ynmpbbzhumh2ama2vl3bc77lf5auqf7nf4k45lbmzoep2rbyid.onion',
'title': '',
'type': 'Files'},
{'available': False,
'fqdn': 'elqfbcx5nofwtqfookqml7ltx2g6q6tmddys6e25vgu3al2meim6cbqd.onion',
'slug': 'http://elqfbcx5nofwtqfookqml7ltx2g6q6tmddys6e25vgu3al2meim6cbqd.onion',
'title': 'Warlock Client Leaked Data Show',
'type': 'DLS'},
{'available': True,
'fqdn': 'warlockhga5iw3t54ps5iytlilf7hlvxy7kwrkidspn4qoh64s4vsuyd.onion',
'slug': 'http://warlockhga5iw3t54ps5iytlilf7hlvxy7kwrkidspn4qoh64s4vsuyd.onion',
'title': 'WarLock Client Data Leak Show',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 2,
'ransomware_live_group': 'warlock',
'tools': {'CredentialTheft': ['Mimikatz',
'Veeam-Get-Creds'],
'DefenseEvasion': ['VMTools AV Killer (BYOVD)'],
'DiscoveryEnum': ['SecurityCheck'],
'Exfiltration': [],
'LOLBAS': ['Minidump'],
'Networking': ['Cloudflared',
'OpenSSH',
'MinIO',
'VS Code Tunnel'],
'Offsec': ['Velociraptor'],
'RMM-Tools': ['Radmin']},
'url': 'https://www.ransomware.live/group/warlock',
'victims': 78,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': ['Mimikatz', 'Veeam-Get-Creds'],
'DefenseEvasion': ['VMTools AV Killer (BYOVD)'],
'DiscoveryEnum': ['SecurityCheck'],
'Exfiltration': [],
'LOLBAS': ['Minidump'],
'Networking': ['Cloudflared', 'OpenSSH', 'MinIO', 'VS Code Tunnel'],
'Offsec': ['Velociraptor'],
'RMM-Tools': ['Radmin']},
'ttps': [],
'url': 'https://www.ransomware.live/group/warlock',
'victims': 78,
'vulnerabilities': []}