Ransomware Gangs Turn Legit Tools Like Velociraptor Into Weapons

Ransomware criminals add open-source forensics tool to their arsenal

In a recent illuminating report by The Register, researchers from Cisco Talos detail how a ransomware group known as Storm‑2603 has elevated its tactics—exploiting zero-day vulnerabilities in Microsoft SharePoint and then deploying the open-source tool Velociraptor to maintain stealthy access and facilitate a devastating file-encryption campaign. The Register

Here’s a breakdown of what happened, why it matters, and what business owners must do now.

What the attackers did

• Storm-2603 breached on-premises SharePoint servers via zero-day vulnerabilities.

• After initial access they installed Velociraptor (version 0.73.4.0) which itself had a privilege-escalation vulnerability (CVE-2025-6264) that the attackers exploited to take over endpoints.

• With that foothold they moved laterally, disabled endpoint protection features (such as real-time protection and behaviour monitoring) and deployed a fileless PowerShell encryptor alongside ransomware variants such as LockBit, Babuk and Warlock in tandem.

• The report notes this is unusual: using multiple ransomware strains in a single attack and utilising a legitimate-for-defenders tool for malicious purposes.

In short: attackers leveraged a trusted tool, hid behind it, disabled defences and delivered a crippling attack.

Why this matters for business owners

1. Legitimate tools misuse
   The use of Velociraptor illustrates how the line between defence and offence is growing blurred. A tool originally intended for incident response is turned into a persistence platform for ransomware. Because it’s legitimate software, many security solutions struggle to detect misuse.

2. Zero-day exposure + after-the-fact response = risk
   The attackers exploited unpatched SharePoint vulnerabilities for initial access. If your organisation has unpatched or misconfigured systems, you might already be exposed. Even once detected, the attackers already disabled key protections.

3. The limitation of detect-and-respond
   The traditional model—detect intrusion, investigate, respond—simply gives adversaries time. In this case they were persistent, stealthy, and active while disabling defences. Detection alone is no longer enough.

A better mindset: Move from “Detect & Respond” to “Isolation & Containment”

Rather than waiting to detect malicious actor behaviour and then scrambling to respond, businesses need to adopt a posture where an attack is isolated and contained immediately — before lateral movement, before encryption, before mass damage.

• Isolation means when an endpoint exhibits abnormal behaviour or is compromised, it is automatically cut off or quarantined so it cannot spread the attack.

• Containment means limiting the blast radius — even if an attacker gets in, they cannot reach broad assets, cannot disable protections, cannot run rampant encryption.

This shift is especially important given the stealthy, multi-tool approach of modern ransomware gangs like Storm-2603.

Why AppGuard is the solution business owners should adopt

If you want a proven endpoint protection solution aligned with this isolation + containment approach, AppGuard is the answer. Here’s what sets it apart:

• 10-year track record: AppGuard has been protecting endpoints in demanding environments for over a decade, proving its effectiveness in real-world operations.

• Protection by default: Rather than relying solely on detection of unknown threats, AppGuard enforces policy to prevent malicious actions from executing in the first place.

• Rapid containment: When malicious behaviour is attempted, AppGuard isolates the endpoint or the process so attackers cannot move laterally or disable protections.

• Minimal operational disruption: Because it works proactively rather than reactively, it integrates with business workflows without requiring constant threat hunting.

• Commercial availability: Once the domain of government and high-security sectors, AppGuard is now available to commercial enterprises seeking robust endpoint isolation and containment.

By adopting AppGuard you’re explicitly choosing to change the paradigm — you’re not waiting to detect a breach, you’re architecting a system where a breach cannot escalate.

What business owners should do now

1. Audit your surface – Identify systems like on-premises SharePoint servers, endpoints, virtual machines, and other assets that might be entry points.

2. Patch and configure – The first step is still very important: apply patches, especially for publicly exposed systems. In the Storm-2603 case it began with SharePoint zero-days.

3. Assess your endpoint strategy – If your endpoint protection focuses only on detection and response (EDR) ask yourself: what would happen if the attacker disables detection? As in the case above.

4. Adopt a solution built for isolation and containment – This is where AppGuard comes in. If you switch to a protection model that contains threats automatically, you dramatically reduce risk.

5. Engage now – It’s not enough to plan for next quarter. Attackers are already using these techniques today. The time to act is immediate.

Final thoughts

The incident detailed by The Register makes one point crystal clear: sophisticated adversaries no longer just break in. They install legitimate-looking tools, disable defences, deploy multiple ransomware strains, then move quickly to encryption and extortion.

Waiting until you detect malicious behaviour isn’t sufficient. You need a strategy capable of stopping malicious action before it becomes harmful. That means shifting from “Detect and Respond” to “Isolation and Containment”.

If you’re a business owner concerned about modern ransomware threats, talk with us at CHIPS. Let’s discuss how AppGuard can integrate into your environment and give you the endpoint protection posture you need to defend against the next-gen threats.

Like this article? Please share it with others!