Microsoft: SharePoint attacks now officially include ransomware infections

Ransomware has officially entered the Microsoft SharePoint exploitation ring.

Late Wednesday, in an update to its earlier warning, Redmond confirmed that a threat group it tracks as Storm-2603 is abusing vulnerable on-premises SharePoint servers to deploy ransomware.

The software giant had already pinned blame on three crews for the SharePoint attacks. Two of the crews are Chinese government-backed: Linen Typhoon (aka Emissary Panda, APT27) and Violet Typhoon (aka Zirconium, Judgment Panda, APT31).

The third, Storm-2603, is likely China-based but not necessarily a nation-state gang.

"Although Microsoft has observed this threat actor [Storm-2603] deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor's objectives," Microsoft said on Tuesday, noting that it's still investigating other gangs exploiting these vulnerabilities.

As of Wednesday, it confirmed that Storm-2603 is, in fact, abusing the security holes to infect victims with ransomware.

"Expanded analysis and threat ...