New Gold Salem ransomware could be the most worrying new strain we've seen for a while

News
By published

Warlock, also known as Gold Salem, is making a name for itself, and fast

A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
(Image credit: Getty Images)
  • Warlock ransomware group compromised over 60 victims since emerging in March 2025
  • Sophos highlights advanced tactics including SharePoint exploits, tunneling, and credential theft
  • Group claims to have sold stolen data from 45% of victims to private buyers

Security researchers have warned of a new ransomware operation making a name for itself, rather fast.

Sophos has detailed the works of a group that calls itself Warlock - although different analysts gave the group different names, so Warlock is also being tracked as Gold Salem by Sophos, or Storm-2603 by Microsoft.

Sophos says it “could be the most worrying new strain” that’s emerged in a while, as they managed to compromise more than 60 victims since March 2025 when it was first observed.

Is Warlock a Chinese player?

It’s not just the number of victims that’s worrying here. The group’s operations “reflect both competence and boldness” because, in mere months, they managed to exploit SharePoint vulnerabilities with a custom ToolShell chain, abuse legitimate tools such as Velociraptor for covert tunneling, deploy Mimikatz for credential theft, PsExec/Impacket for lateral movement, and GPOs for ransomware payloads.

They’ve also managed to solicit exploits and access from underground forums despite having no prior public footprint.

Attribution is proving rather tricky, though. Microsoft refers to Warlock as a “China-based actor”, but Sophos argues the evidence is inconclusive. Still, the group was observed targeting all sorts of organizations, from all sorts of countries and verticals, yet they’ve skillfully avoided targeting Russian and Chinese organizations.

There is an outlier, though - a single Russian entity was recently added to the group’s data leak site. For Sophos, this information suggests the group operates outside Russia’s jurisdiction or sphere of influence.

Still, out of the 60+ victims the group added to its site, it claims to have stolen data from 27 to private buyers (approximately 45%).

What’s notable here is that only 32% of victims had their data publicly leaked, which suggests that the rest may have paid or had their data sold privately.

Sophos also stresses that the 45% claim may be inflated, or outright fabricated, as ransomware groups often exaggerate their impact to boost credibility and instill fear.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.