Warlock continues to enhance its attack chain with new tactics to improve persistence, lateral movement, and defense evasion using an expanded toolset: TightVNC, Yuze, and a persistent BYOVD technique leveraging the NSec driver. The group’s updated methods include the use of TightVNC as a silent Windows service via PsExec for persistent GUI-based remote access, abuse of Yuze to establish SOCKS5 connections over common ports, and a new BYOVD technique exploiting a vulnerability in the NSec driver to terminate security products at the kernel level. These enhancements enable Warlock to maintain control and spread across networks more effectively.
Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack
Summary: The Warlock ransomware group has enhanced its attack chain by incorporating new techniques such as TightVNC, Yuze, and a persistent BYOVD technique leveraging the NSec driver to improve persistence, lateral movement, and evasion.
Key facts
- Warlock ransomware group has enhanced its attack chain with new techniques
- New tactics include TightVNC, Yuze, and persistent BYOVD leveraging NSec driver
- Targeted industries: technology, manufacturing, government
- Countries most targeted: US, Germany, Russia
Why it matters
The expansion of Warlock’s attack toolkit poses significant risks to targeted industries such as technology, manufacturing, and government by enabling persistent infections and sophisticated lateral movements that are harder to detect and mitigate. This underscores the need for continuous vigilance and robust security measures in critical infrastructure sectors.