Ransomware attacks increase as hackers target SharePoint server weakness

The landscape of cybersecurity threats is continually evolving, with threat actors increasingly leveraging sophisticated methods to infiltrate and compromise organizational systems. Recently, a significant surge in ransomware attacks has been observed, with hackers specifically targeting a critical weakness within Microsoft SharePoint servers. This vulnerability has opened a gateway for malicious actors to deploy ransomware, leading to widespread disruption and potential data loss for affected organizations.

Exploitation of SharePoint Vulnerabilities

A critical vulnerability affecting on-premises versions of Microsoft SharePoint has been actively exploited by threat actors, leading to a significant increase in ransomware attacks. This vulnerability allows for unauthenticated remote code execution on vulnerable servers, providing attackers with an initial foothold into an organization’s network. The exploit, at times referred to as “ToolShell,” has been leveraged by multiple threat groups, including those identified as Linen Typhoon, Violet Typhoon, and Storm-2603. These groups, primarily linked to China, have transitioned from espionage activities to more disruptive ransomware deployments.

Microsoft has issued urgent warnings regarding the active exploitation of these flaws. The initial patches released in July 2025 were reportedly bypassed by some attackers, prompting emergency updates and new mitigation steps. This ongoing exploitation underscores the critical need for organizations to maintain up-to-date security measures and promptly apply patches to their SharePoint environments. The speed at which attackers adapt and bypass initial defenses highlights the dynamic nature of cyber threats.

The exploitation of SharePoint vulnerabilities has been a multi-phased process for attackers. Initial access is gained through the exploitation of internet-facing SharePoint servers. Following this, attackers establish persistence by installing malicious web shells and manipulating system components to ensure continued access, even if initial vulnerabilities are patched. This persistence allows them to conduct discovery commands, enumerate user contexts, and validate privilege levels within the compromised environment.

The Evolution from Espionage to Extortion

Initially, threat actors were observed using the SharePoint vulnerabilities for covert intelligence gathering and espionage, focusing on stealing credentials and sensitive data without immediate detection. However, there has been a marked shift towards more aggressive and financially motivated tactics, with these intrusions now escalating into full-scale ransomware campaigns. This evolution signifies a growing capability among adversaries and an increasing risk associated with maintaining unpatched, legacy software.

The transition from silent surveillance to disruptive encryption marks a significant escalation in the threat landscape. It demonstrates the adaptability of threat actors who can pivot their objectives based on the opportunities presented by exploitable vulnerabilities. This change in tactics poses a more immediate and severe threat to business operations and data integrity.

Microsoft has confirmed that multiple intrusions have evolved into destructive ransomware attacks, leading to data encryption, operational paralysis, and demands for ransom payments. This pivot from espionage to extortion is a critical development that organizations must address with robust security strategies and incident response plans.

Ransomware Deployment and Impact

Once attackers gain initial access and establish persistence within a SharePoint environment, they proceed to deploy ransomware. This often involves lateral movement across the network, credential theft, and the modification of Group Policy Objects (GPOs) to distribute the ransomware payload across compromised systems. The Warlock ransomware has been specifically identified as a payload deployed in these attacks, though other variants like LockBit have also been observed.

The impact of these ransomware attacks can be devastating. Organizations face encrypted data, rendering critical information inaccessible, and significant operational disruptions. The financial implications can include ransom payments, recovery costs, and lost revenue due to downtime. Beyond financial losses, reputational damage and the potential loss of intellectual property are also serious consequences.

The scope of these attacks has been extensive, with estimates suggesting that over 400 organizations worldwide have been affected. This includes U.S. federal agencies, universities, and private sector businesses, highlighting the broad reach and indiscriminate nature of these threats. The compromise of high-profile targets like the U.S. National Nuclear Security Administration and the Department of Education underscores the severity of the situation.

Specific Threat Actors and Their Tactics

Several threat actors have been implicated in these SharePoint-related ransomware attacks. The group Storm-2603, believed to be China-based, has been a prominent player, leveraging the vulnerabilities to deploy Warlock ransomware. Microsoft has also linked Linen Typhoon and Violet Typhoon, identified as Chinese nation-state actors, to the exploitation of these SharePoint vulnerabilities.

The tactics employed by these groups are methodical and multi-staged. They begin with exploiting vulnerabilities to gain initial access, followed by credential access techniques like using Mimikatz to extract plaintext credentials from LSASS memory. Lateral movement is achieved using tools such as PsExec and the Impacket toolkit, with commands executed via Windows Management Instrumentation (WMI). The final stage often involves modifying GPOs to distribute the ransomware payload.

Some attackers have also been observed attempting to steal Machine Keys, which could potentially allow them to maintain access even after systems are patched. This tactic adds another layer of complexity to the threat, as it suggests a long-term objective beyond immediate data encryption.

Vulnerabilities Exploited and Technical Details

The primary vulnerabilities being exploited are related to the “ToolShell” exploit chain, which combines remote code execution (RCE) and network spoofing flaws. Specifically, CVE-2025-49704 (SharePoint RCE) and CVE-2025-49706 (SharePoint spoofing) were among the initial vulnerabilities. Subsequent bypasses and related vulnerabilities, such as CVE-2025-53770 and CVE-2025-53771, have also been identified and exploited, even on systems that had received initial patches.

Once inside a vulnerable SharePoint server, attackers install malicious web shells, such as spinstall0.aspx, to maintain persistent access. They then use discovery commands like “whoami” to enumerate user context and validate privilege levels. Further actions can include disabling security monitoring tools, such as Microsoft Defender, through direct registry modifications, and manipulating Internet Information Services (IIS) components to load .NET assemblies, ensuring persistence.

The use of PowerShell commands to disable real-time monitoring in Windows Defender has also been observed, along with bypassing certificate validation. These technical maneuvers highlight the attackers’ sophistication in evading detection and maintaining control over compromised systems.

Mitigation and Protection Strategies

Addressing the threat of ransomware attacks targeting SharePoint requires a multi-layered security approach. Microsoft strongly urges all customers running on-premises SharePoint Server to immediately apply all relevant security patches and updates. Restarting Internet Information Services (IIS) on affected servers is also recommended to invalidate active sessions and prevent persistent access.

Organizations should enable Microsoft Defender Antivirus and AMSI (Antimalware Scan Interface) for real-time scanning and behavioral analysis. Rotating privileged credentials, particularly those used by service accounts, administrators, and backup systems, is crucial. Implementing attack surface reduction rules and endpoint detection and response (EDR) solutions can further enhance threat detection capabilities.

For on-premises SharePoint servers, enabling AMSI integration and deploying Defender Antivirus are highlighted as essential steps to stop unauthenticated attackers. It is also critical to use supported versions of SharePoint Server and ensure they are kept up-to-date with the latest security patches. Older, unsupported versions of SharePoint are particularly vulnerable and should be upgraded or decommissioned.

Best Practices for SharePoint Security

Beyond immediate patching, adopting comprehensive SharePoint security best practices is vital for long-term defense. This includes enabling Multi-Factor Authentication (MFA) for all user accounts, especially administrators, to add a critical layer of security against credential compromise. Role-Based Access Control (RBAC) should be meticulously implemented to ensure users only have access to the data and resources necessary for their roles, adhering to the principle of least privilege.

Regularly reviewing and updating access permissions is essential, as roles and responsibilities change over time. Monitoring external sharing settings and implementing strict controls over who can access what content outside the organization is also paramount. Features like time-limited sharing and password protection for shared links can significantly reduce the risk of data leaks.

Implementing version control and enabling detailed audit logs for monitoring user activity are key to detecting and responding to suspicious behavior. Strong password policies should be enforced, and sensitive data should be classified and labeled to apply appropriate security controls. These proactive measures create a more resilient security posture against a wide range of threats.

Incident Response and Recovery

Organizations must have a well-defined and regularly rehearsed incident response plan specifically for ransomware attacks. This plan should outline clear steps for containment, eradication, and recovery. Ensuring that the incident response plan itself is accessible, even if internal systems are compromised, is critical—storing copies on SharePoint alone may render it unavailable during an attack.

Immediate actions upon suspecting a ransomware infection include stopping synchronization services like OneDrive sync or disconnecting mapped drives to SharePoint libraries. Administrators should then initiate the file restoration process using available backup and versioning features. Microsoft 365 Backup and SharePoint’s built-in versioning and recycle bin functionalities offer crucial recovery mechanisms.

For SharePoint Online and OneDrive, versioning retains a significant number of file versions, allowing for recovery of previous, unencrypted states. The recycle bin provides a 93-day window for restoring deleted files. If these built-in measures are insufficient, contacting Microsoft Support within a specified timeframe may be necessary for data restoration. Organizations should also consider developing a comprehensive resiliency strategy that includes offline backups and segmented networks.

Understanding the Threat to On-Premises vs. Online

It is crucial to distinguish between on-premises SharePoint servers and SharePoint Online within Microsoft 365. The vulnerabilities currently being exploited primarily affect on-premises SharePoint server installations. SharePoint Online, being a cloud-based service managed by Microsoft, benefits from continuous security updates and a robust security infrastructure, making it less susceptible to these specific exploit chains.

However, even cloud-based environments are not entirely immune to ransomware. Ransomware running on a user’s local machine can synchronize encrypted files to SharePoint Online or OneDrive if the sync client is active. While SharePoint Online itself cannot execute ransomware, it can store encrypted files that are then inaccessible. In these cloud scenarios, built-in features like versioning and the recycle bin are critical for recovery.

The responsibility for securing on-premises SharePoint environments falls entirely on the organization’s IT teams. This includes diligent patching, continuous monitoring, and proactive security configuration. The recent zero-day attacks serve as a stark reminder of the risks associated with self-managed infrastructure and the importance of staying ahead of evolving threats.

The Role of User Education and Awareness

While technical security measures are essential, human factors remain a significant element in cybersecurity. Comprehensive user education and ongoing awareness training are critical to building a strong defense against ransomware. Employees are often the first line of defense and the most common entry point for attackers, frequently through phishing or social engineering tactics.

Training should cover recognizing phishing attempts, understanding the risks of clicking on suspicious links or downloading unknown attachments, and practicing good credential hygiene. Educating users about the importance of MFA and secure password practices is also vital. A security-aware workforce can significantly reduce the attack surface and prevent initial compromises.

Furthermore, fostering a culture where employees feel empowered and supported to report suspicious activity without fear of reprisal is crucial. This encourages early detection, allowing security teams to respond more effectively and minimize potential damage. Clear reporting channels and visible leadership support reinforce the importance of vigilance and proactive security behavior across the organization.

Advanced Security Measures and Continuous Monitoring

Organizations should implement advanced security measures beyond basic antivirus and patching. This includes configuring AMSI integration, utilizing Endpoint Detection and Response (EDR) solutions like Microsoft Defender for Endpoint, and enabling cloud-delivered protection in antivirus software. These tools can detect post-exploitation activities that traditional antivirus might miss, such as privilege escalation or the deployment of web shells.

Continuous monitoring of logs and file systems for anomalies is essential. Unusual file activity, unexpected account behavior, or the presence of unfamiliar files can be early indicators of a compromise. Implementing attack surface reduction rules can help block common attack techniques, including those related to credential theft and ransomware activity.

Regularly reviewing and tightening tenant-level sharing settings in SharePoint Online is also a key proactive measure. These settings define the maximum level of sharing allowed across the environment and should be configured to align with the organization’s security policies. Restricting external sharing by domain and security group, and controlling access from unmanaged devices or locations, further strengthens the security perimeter.