Microsoft: Hackers Exploiting SharePoint Vulnerability Now Deploying Ransomware
Microsoft has confirmed that a growing cyber-espionage campaign targeting vulnerable SharePoint servers has escalated, with attackers now deploying ransomware to paralyse victim networks. In a blog post published late Wednesday, Microsoft attributed the campaign to a threat group it tracks as “Storm-2603.”
From Espionage to Ransomware Attacks
Initially believed to be a cyber-espionage effort, the attack campaign is now believed to involve ransomware deployment. Microsoft says the hackers are exploiting a known vulnerability in SharePoint Server, allowing them to lock systems and demand cryptocurrency payments for decryption.
This escalation introduces significant operational risks, especially if critical infrastructure or healthcare systems are targeted. “Storm-2603 is using the SharePoint vulnerability not just for espionage, but to install ransomware and disable networks,” Microsoft stated.
Over 400 Victims — and Counting
According to Dutch cybersecurity firm Eye Security, the campaign has already compromised at least 400 organisations, marking a sharp increase from the 100 victims reported earlier in the week.
Vaisha Bernard, Chief Hacker at Eye Security, warned that the real number may be significantly higher: “There are many more victims out there. Not all attack vectors left artefacts that we could detect.”
Many of the compromised entities remain unnamed, but the U.S. National Institutes of Health (NIH) has confirmed that at least one of its servers was affected. “Additional servers were isolated as a precaution,” said an NIH spokesperson.
U.S. Government Agencies Affected
Multiple reports indicate that the breach affects more than just private organisations:
- Politico and NextGov report that several U.S. federal agencies, including the Department of Homeland Security (DHS), may have been breached.
- Sources say 5 to 12 additional agencies could be impacted.
- The Cybersecurity and Infrastructure Security Agency (CISA) has not yet issued an official statement.
A Race Against Time
The campaign was reportedly triggered after Microsoft failed to fully patch a critical SharePoint server vulnerability, leaving systems exposed. Once discovered, attackers moved quickly to exploit the flaw on a wide scale.
Both Microsoft and Google-parent Alphabet have linked the exploitation to Chinese state-sponsored hackers, a claim Beijing has publicly denied.
Why This Matters
The shift from traditional cyber-espionage to ransomware deployment represents a dangerous escalation in cyber threats. Ransomware has the potential to:
- Disrupt essential services
- Shut down enterprise systems
- Jeopardise national security infrastructure
This incident highlights the need for organisations—especially those using on-premise Microsoft SharePoint servers—to urgently:
- Apply all available security patches
- Monitor for unusual activity
- Review incident response plans
Conclusion: Patch Now, Stay Vigilant
As the number of ransomware attacks continues to rise, Microsoft urges SharePoint users to apply necessary updates immediately. The evolving nature of Storm-2603’s campaign underscores the growing risks associated with unpatched systems and the need for proactive cybersecurity measures.
