A critical server vulnerability first linked to cyber espionage has escalated into a ransomware threat, Microsoft disclosed this week. The company reported that attackers exploiting unpatched SharePoint servers are now deploying ransomware, raising the severity of an already widespread breach that has affected at least 400 entities globally.
The hacking group, referred to by Microsoft as Storm-2603, has expanded its tactics by seeding malicious payloads into targeted networks, locking down systems and demanding cryptocurrency ransoms. The cyber campaign, which began as a stealth operation to extract information, now threatens to cause broader disruption across public and private sector systems.
According to Netherlands-based cybersecurity firm Eye Security, the victim count has quadrupled since the weekend, with more organisations likely affected but not yet identified due to stealthy intrusion methods. While many state-sponsored campaigns are focused on espionage, the introduction of ransomware into this attack indicates a shift toward financial damage and operational paralysis. Ransomware works by encrypting critical files and systems, holding them hostage until payment is made—often in cryptocurrency to avoid traceability.
The U.S. National Institutes of Health confirmed that one of its servers had been breached, prompting the isolation of additional systems. Reports also suggest that the U.S. Department of Homeland Security and other agencies may have been compromised, although official confirmation remains limited.
Also read: SharePoint Vulnerability Triggers Federal Security Breach
The concern now extends beyond data confidentiality to business continuity and public service disruption. Security professionals warn that ransomware could escalate the impact far beyond the original scope of the breach.
Patch delays and evolving threat vectors
The root cause of the breach traces back to Microsoft’s incomplete patching of a SharePoint vulnerability. Cybersecurity experts have criticized the delayed response and warned that residual gaps in server security continue to be exploited.
Microsoft noted that Chinese state-affiliated actors were among those exploiting the flaw, though Beijing has denied any involvement. Google-owner Alphabet echoed Microsoft’s concerns about the geopolitical implications of the attack.
With more than 400 organisations already affected and counting, this attack underscores the risks of delayed patching and the fast-evolving nature of cyber threats, where espionage and extortion can now occur within the same attack lifecycle.
(Credit: Reuters)
