Investigation underway at Palo Alto Networks concerning potential ransomware attack linked to SharePoint vulnerability exploitation
A new ransomware attack, believed to be unrelated to the 4L4MD4R ransomware mentioned in earlier reports, is causing concern among cybersecurity experts. The attack, which is currently under investigation by researchers at Palo Alto Networks, exploits critical ToolShell Remote Code Execution (RCE) vulnerabilities found in on-premises Microsoft SharePoint Servers.
The attackers, who bypassed identity controls including Multi-Factor Authentication (MFA) and Single Sign-On (SSO), used PowerShell commands to disable real-time monitoring in Windows Defender. They then deployed web shells for persistent access, exfiltrated sensitive data, stole cryptographic keys, and established footholds to further deploy ransomware and backdoors.
The attack, which was first observed in mid-July 2025, targets organizations running affected SharePoint versions (2016, 2019, and SharePoint Server Subscription Edition). If successful, the attack results in data breaches, lateral movement within networks, and potential full encryption of enterprise resources by ransomware like 4L4MD4R. However, SharePoint Online customers are not affected.
To mitigate the risk, Microsoft, SentinelOne, Palo Alto Unit42, and CISA have issued alerts and advisories with detailed indicators of compromise and mitigation guidance. Recommended preventive measures include immediate application of Microsoft’s emergency patches, enabling Antimalware Scan Interface (AMSI) detection, rotating ASP.NET machine keys, isolating public-facing SharePoint servers, proactive hunting for indicators of compromise, and assuming potential compromise if SharePoint servers were internet-exposed before patching.
It is still unclear whether the attacker has deployed ransomware against other targets or if they are the same as in the earlier reported ransomware attack. Microsoft researchers had previously warned that the SharePoint vulnerability had attracted the interest of China-backed hackers.
The ongoing investigation is also determining whether the attackers bypassed certificate validation, as reported in some cases. The company is still investigating the identity of the attacker.
If the malware is successfully executed, it encrypts files and displays a ransom note identifying itself as the 4L4MD4R ransomware. The hackers left a ransom note on Sunday, warning that any attempt to decrypt files would result in their deletion.
In July, researchers reported at least 300 known compromises worldwide, including at key U.S. government agencies. Out of these, 840 instances still had the critical vulnerability tracked as CVE-2025-53770. At least 20 of the vulnerable servers contained webshells, suggesting the presence of hackers.
Organizations are strongly advised to take immediate action to secure their SharePoint servers and protect their data from this ongoing threat.
[1] Microsoft Security Response Centre Blog: https://msrc-blog.microsoft.com/2025/07/15/security-advisory-for-multiple-on-premises-sharepoint-vulnerabilities/ [2] Palo Alto Networks Unit 42: https://unit42.paloaltonetworks.com/ransomware-attacks-exploiting-sharepoint-vulnerabilities/ [3] SentinelOne Threat Intelligence: https://www.sentinelone.com/threat-intel/advisory/ms-sharepoint-rce-vulnerabilities-exploited-in-the-wild/ [4] CISA Alert: https://us-cert.cisa.gov/ncas/alerts/aa25-333a [5] Google Threat Analysis Group: https://googlesecurity.blog/2025/07/15/actively-exploited-sharepoint-rce-vulnerabilities/
- The new ransomware attack, which exploits critical ToolShell Remote Code Execution (RCE) vulnerabilities in on-premises Microsoft SharePoint Servers, has raised concerns in the realm of cybersecurity.
- The attackers, who have bypassed identity controls and deployed web shells for persistent access, have used this malware to steal sensitive data, cryptographic keys, and prepare the ground for deploying ransomware and backdoors.
- The cybersecurity community is actively investigating whether this attack is linked to the earlier reported ransomware attack, and if the attackers have deployed ransomware against other targets.
- As the threat of this ransomware attack continues, experts advise organizations to take immediate action to secure their SharePoint servers and protect their data, with recommendations including the application of Microsoft's emergency patches, enabling Antimalware Scan Interface (AMSI) detection, and proactive hunting for indicators of compromise.
