• Business

    New Gold Salem ransomware could be the most worrying new strain we’ve seen for a while

    AnyFans Posted on

    By Sead Fadilpašić

    Copyright techradar

    New Gold Salem ransomware could be the most worrying new strain we've seen for a while

    Skip to main content

    Tech Radar Pro

    Tech Radar Gaming

    Close main menu

    the business technology experts

    België (Nederlands)

    Deutschland

    North America

    US (English)

    Australasia

    New Zealand

    View Profile

    Search TechRadar

    Expert Insights

    Website builders

    Web hosting

    Best web hosting
    Best office chairs
    Best website builder
    Best antivirus
    Expert Insights

    Don’t miss these

    Security researchers discover dangerous malware that’s small, fast, can work locally, and doesn’t need a master command – here’s what you need to know

    The first AI-powered ransomware has been spotted – and here’s why we should all be worried

    Microsoft flags dangerous cybercriminals ransacking organizations – and then letting you know about it via Teams

    Colt confirms customer data stolen as Warlock ransomware crew auctions off details

    FBI urges users to beware worrying Interlock ransomware attacks

    US becomes ransomware capital of the world as attacks rise by almost 150 percent

    How XWorm is fueling the rise of plug-and-play malware

    Hackers hijack Microsoft Teams to spread malware to certain firms – find out if you’re at risk

    It doesn’t take a genius to be a cybercriminal – and open source ransomware is making it easier than ever

    The AI-powered future of ransomware is coming soon – here’s what we need to look out for

    Experts warn criminals are using backdoor malware to target governments

    This new malware really goes the extra mile when it comes to infecting your devices

    Microsoft SharePoint worries increase as ransomware gangs join the party, experts warn

    Ransomware gangs are now expanding to physical threats in the real world

    Dangerous new Linux malware strikes – thousands of users see passwords, personal info stolen, here’s what we know

    New Gold Salem ransomware could be the most worrying new strain we’ve seen for a while

    Sead Fadilpašić

    19 September 2025

    Warlock, also known as Gold Salem, is making a name for itself, and fast

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

    (Image credit: Getty Images)

    Warlock ransomware group compromised over 60 victims since emerging in March 2025
    Sophos highlights advanced tactics including SharePoint exploits, tunneling, and credential theft
    Group claims to have sold stolen data from 45% of victims to private buyers

    Security researchers have warned of a new ransomware operation making a name for itself, rather fast.

    Sophos has detailed the works of a group that calls itself Warlock – although different analysts gave the group different names, so Warlock is also being tracked as Gold Salem by Sophos, or Storm-2603 by Microsoft.
    Sophos says it “could be the most worrying new strain” that’s emerged in a while, as they managed to compromise more than 60 victims since March 2025 when it was first observed.

    You may like

    Security researchers discover dangerous malware that’s small, fast, can work locally, and doesn’t need a master command – here’s what you need to know

    The first AI-powered ransomware has been spotted – and here’s why we should all be worried

    Microsoft flags dangerous cybercriminals ransacking organizations – and then letting you know about it via Teams

    Is Warlock a Chinese player?
    It’s not just the number of victims that’s worrying here. The group’s operations “reflect both competence and boldness” because, in mere months, they managed to exploit SharePoint vulnerabilities with a custom ToolShell chain, abuse legitimate tools such as Velociraptor for covert tunneling, deploy Mimikatz for credential theft, PsExec/Impacket for lateral movement, and GPOs for ransomware payloads.

    They’ve also managed to solicit exploits and access from underground forums despite having no prior public footprint.
    Attribution is proving rather tricky, though. Microsoft refers to Warlock as a “China-based actor”, but Sophos argues the evidence is inconclusive. Still, the group was observed targeting all sorts of organizations, from all sorts of countries and verticals, yet they’ve skillfully avoided targeting Russian and Chinese organizations.
    There is an outlier, though – a single Russian entity was recently added to the group’s data leak site. For Sophos, this information suggests the group operates outside Russia’s jurisdiction or sphere of influence.

    Are you a pro? Subscribe to our newsletter
    Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
    Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
    Still, out of the 60+ victims the group added to its site, it claims to have stolen data from 27 to private buyers (approximately 45%).
    What’s notable here is that only 32% of victims had their data publicly leaked, which suggests that the rest may have paid or had their data sold privately.
    Sophos also stresses that the 45% claim may be inflated, or outright fabricated, as ransomware groups often exaggerate their impact to boost credibility and instill fear.
    You might also like

    Colt confirms customer data stolen as Warlock ransomware crew auctions off details
    Take a look at our guide to the best authenticator app
    We’ve rounded up the best password managers

    Sead Fadilpašić

    Social Links Navigation

    Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

    You must confirm your public display name before commenting

    Please logout and then login again, you will then be prompted to enter your display name.

    Security researchers discover dangerous malware that’s small, fast, can work locally, and doesn’t need a master command – here’s what you need to know

    The first AI-powered ransomware has been spotted – and here’s why we should all be worried

    Microsoft flags dangerous cybercriminals ransacking organizations – and then letting you know about it via Teams

    Colt confirms customer data stolen as Warlock ransomware crew auctions off details

    FBI urges users to beware worrying Interlock ransomware attacks

    US becomes ransomware capital of the world as attacks rise by almost 150 percent

    Latest in Security

    VPS servers hijacked into malware proxies – here’s how to stay safe

    Most companies admit their current security can’t stop AI cybercrime

    SonicWall customers told to reset credentials following firewall data breach

    CrowdStrike snaps up Pangea to boost AI security

    Top VC firm is warning thousands their data may have been hacked – here’s how to stay safe

    New York Blood Center data breach sees 200,000 affected – and you might not even know you’ve been hit

    Latest in News

    The end of Nest? Google’s mysterious speaker stars in new leak that hints at smart home shakeup

    New Gold Salem ransomware could be the most worrying new strain we’ve seen for a while

    Peacemaker star Frank Grillo breaks down Rick Flag Sr’s brutal beatdown of Chris Smith in season 2 episode 6: ‘It’s like a volcano erupting’

    Over half of SMB employees say they’re considering quitting – so how can bosses keep their best talent?

    Data sovereignty is becoming a bigger challenge than ever – so what steps can businesses take?

    I couldn’t decide between the iPhone 17 Pro and iPhone Air, so I bought both – which one should I keep?

    LATEST ARTICLES

    New Gold Salem ransomware could be the most worrying new strain we’ve seen for a while

    SonicWall customers told to reset credentials following firewall data breach

    VPS servers hijacked into malware proxies – here’s how to stay safe

    Microsoft announces “world’s most powerful data center” in latest billion-dollar AI spending splurge

    Peacemaker star Frank Grillo breaks down Rick Flag Sr’s brutal beatdown of Chris Smith in season 2 episode 6: ‘It’s like a volcano erupting’

    TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

    Contact Future’s experts

    Terms and conditions

    Privacy policy

    Cookies policy

    Advertise with us

    Web notifications

    Accessibility Statement

    Future US, Inc. Full 7th Floor, 130 West 42nd Street,

    Please login or signup to comment

    Please wait…

    You Might Also Like