Cisco Talos Blog: Velociraptor leveraged in ransomware attacks

Oct 9, 2025

—

Source URL: https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-attacks/
Source: Cisco Talos Blog
Title: Velociraptor leveraged in ransomware attacks

Feedly Summary: Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool that had not previously been definitively tied to ransomware incidents. We assess with moderate confidence that this activity can be attributed to threat actor Storm-2603, based on overlapping tools

AI Summary and Description: Yes

Summary: Cisco Talos has identified the exploitation of the open-source DFIR tool Velociraptor by ransomware operators linked to the threat actor Storm-2603. Notably, this is the first connection of Velociraptor to ransomware activity, highlighting the evolving tactics of cybersecurity threats. The actors used various ransomware strains, including Warlock and LockBit, to compromise IT environments, using privilege escalation vulnerabilities to maintain persistent access.

Detailed Description:

The incident presents critical insights regarding the use of legitimate tools for malicious purposes, specifically the Velociraptor tool, significantly altering the landscape of ransomware operations. The findings underscore the necessity for security professionals to reassess tool usage and permissions within their environments. Key points include:

– **Attribution to Storm-2603**:
– Cisco Talos links the activity to the group Storm-2603 through overlapping tools and tactics.
– Storm-2603 is a China-based group known for a range of attacks including previous instances with LockBit and the novel use of Warlock ransomware.

– **Use of Velociraptor**:
– Ransomware operators employed Velociraptor for maintaining stealthy and persistent access to systems.
– The version used was outdated and exposed to a known privilege escalation vulnerability (CVE-2025-6264), enabling command execution.

– **Ransomware Execution**:
– The actors deployed LockBit and Babuk ransomware to encrypt various virtual machines (VMs) and servers, severely affecting operational integrity.
– Distinctively, this is the first known association of Babuk ransomware with Storm-2603, illustrating an evolution in ransomware strategies.

– **Tactics and Techniques**:
– A range of behavioral and technical maneuvers was documented which are consistent with known MITRE ATT&CK tactics, such as privilege escalation, lateral movement, and data exfiltration.
– The actors modified Active Directory Group Policy Objects to disable critical security features, enhancing their evasion capabilities.

– **Exfiltration Techniques**:
– The campaign showcased double extortion tactics, where data was exfiltrated using sophisticated PowerShell scripts designed to suppress alerts and evade detection by security tools.

– **Mitigation Recommendations**:
– The report recommends protective measures, such as utilizing Cisco security solutions and following Talos’ Ransomware Primer for guidance on safeguarding against similar threats.
– Organizations are urged to routinely update and audit their software tools to mitigate risks stemming from outdated or misused configurations.

– **Indicators of Compromise (IOCs)**:
– Cisco has provided IOCs related to this ransomware activity, including C2 IP addresses and domain names used for malicious operations, which can assist organizations in their threat detection efforts.

Overall, this analysis underscores the increasing sophistication of ransomware actors who leverage legitimate tools for malicious purposes, necessitating heightened vigilance and adaptive security strategies among professionals in the field.

2 2025 2603 3 4 5 6 a access Act Active Directory adaptive adaptive security addresses age AGI AI alerts All alt analysis and app as at ated attack attacks attribute attribution audit based Behavior Bi by C C2 capabilities China CI CIA Cisco Cisco Security Cisco Talos co command command execution Configuration configurations core critical CVE cyber cybersecurit Cybersecurity cybersecurity threat cybersecurity threats D data data exfiltration de DeFi design detection digital digital forensics document domain domain names Double double extortion e end environment environments escalation EU evasion execution exfiltration exp exploit Exploitation extortion extortion tactics feature features first following for forensics g Gen git Group gs guidance H high Highlight HR http HTTPS in incident incident response indicators indicators of compromise insights Instance integrity Intel intelligence io IoC IoCs IP addresses Iron IRS J k Key l Lance land lateral movement led legitimate tools Li Link linked Lock LockBit low M mac machine malicious operations man measures Mila mission misuse mitigation mitigation recommendations Mitre Mode ModI N no o of on ons open open-source operation operational operational integrity operations Operator operators organization organizations ory oS OSINT out over per permissions phi point policy Power PowerShell pre privilege privilege escalation pro professionals protective measures ps Q R rag ransom ransomware ransomware attack ransomware attacks ransomware operations Raptor rate RCE re recommendations report response Risk risks Ro RoT s Sable safe sec security Security Feature security features security professionals security solutions security strategies security threat security threats security tool security tools server servers shell script Sig Sim SoC software software tools solutions sophistication source specific SSE SSO stealth stealthy Storm strategies SUSE system systems T tactics Talos tech technical techniques ted the threat threat actor threat detection threats to tool tool usage tools Tor TP UI UK UN under up update US usage use uv V Velociraptor version vigilance virtual virtual machine virtual machines virtual machines (VMs) vm vulnerabilities vulnerability Ware Wi x z