Quorum Cyber’s Threat Intelligence (TI) team has published its latest Threat Actor Profile, on Warlock. The team assesses the threat actor, which surfaced in mid-2025 and quickly evolved into a Ransomware-as-a-Service (RaaS) operation, as a severe threat that should be taken seriously and considered in any defence strategy. In a very short period of time, Warlock has achieved high-impact cyber-attacks on governments and enterprises around the globe. It’s already one of the most closely watched ransomware threats of 2025.

To date, Warlock’s top three most-targeted countries are the US, Japan, and the UK. France, Poland, Turkey, Canada, India, Hong Kong, and Bermuda make up the top ten. There’s currently no evidence that the group targets entities in the Commonwealth of Independent States (CIS) region, which is consistent with patterns seen in many Russian-speaking ransomware operations.

Warlock’s double-extortion tactics

Known to use a double-extortion tactic to hold victim organisations to ransom, Warlock has claimed dozens of victims worldwide on its data leak site (DLS). Our profile explains the details behind the group’s structured, multi-stage attack lifecycle and how it pressures victims to pay under threat of public leaks.

As stated in our report, “Warlock represents a fast-rising and dangerous RaaS group whose aggressive approach and advanced techniques pose a severe risk to enterprises that are unprepared or slow to patch vulnerabilities”.

Quorum Cyber’s TI team assesses that the group has a variety of influences and has possibly rebranded from prior operations. Industry analysts have observed striking similarities between Warlock’s tactics and those of the defunct Black Basta ransomware group. Notably, Warlock has claimed responsibility for attacks previously attributed to Black Basta, which has led to speculation that some of Warlock’s operators or affiliates may be former members or that Warlock is an offshoot formed after Black Basta ceased activity in early 2025. However, the precise identities of Warlock’s core operators remain unconfirmed.

Warlock’s affiliates and targets

To date, Warlock’s activities have been linked to at least one Chinese threat actor. Security researchers, including Microsoft, have reported that a China-based cluster called Storm-2603 has been deploying Warlock ransomware in its attacks.

So far, nearly half of Warlock’s target operate in the technology sector, but it has attacked organisations in the telecommunications, financial services, manufacturing, construction, consumer services, education, agriculture, and food production, business services, and healthcare sectors.

Learn more about Warlock

You can download our comprehensive Threat Actor Profile on Warlock from our Threat Intelligence Community Hub for free. The Hub offers a large and growing collection of malware reports, threat actor profiles, and threat bulletins, which are all freely available.