Operator dossier

warlock is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 78 public victims claimed by this operator between June 11, 2025 and November 6, 2025. Warlock is an emerging ransomware group that first appeared in June 2025, primarily motivated by financial gain through extortion operations targeting organizations across multiple sectors. The group's origin and potential affiliations remain unclear due to limited public documentation from established threat intelligence sources, though their targeting pattern spans both Western nations and Russia, suggesting possible opportunistic rather than geopolitically-motivated operations. Based on available victim data, Warlock has demonstrated capability to compromise organizations across diverse sectors including technology, financial services, telecommunications, and healthcare, with their attack methodology and technical capabilities requiring further analysis by security researchers to establish definitive patterns regarding initial access vectors, encryption methods, or data exfiltration tactics. While the group has accumulated 78 documented victims across the United States, Japan, Russia, Great Britain, and Turkey within their initial months of operation, insufficient public reporting from CISA, FBI, or major security firms exists to detail specific notable campaigns, ransom demands, or high-profile incidents. Given the group's recent emergence in mid-2025, their current operational status and potential evolution remain under observation by the cybersecurity community.

Most-targeted sectors

Technology20 victims
Financial Services3 victims
Telecommunication3 victims
Healthcare2 victims
Manufacturing2 victims
Agriculture and Food Production2 victims

Most-affected countries

United States12 victims
Russia5 victims
Japan5 victims
United Kingdom4 victims
Denmark2 victims
France2 victims

Recent disclosures by warlock

Most recent 30 of 78 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for warlock →

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

warlock

78 victims indexed · first seen 1 year ago · last activity 7 months ago

Victims indexed

#83 of 356 tracked operators

Active period

Jun 2025 → Nov 2025

Countries hit

top US · 12

At a glance

Status: inactive
First seen: 1 year ago
Last activity: 7 months ago
Onion sites: 2 known endpoints
Primary sector: Not Found · 40 hits

About

Warlock is an emerging ransomware group that first appeared in June 2025, primarily motivated by financial gain through extortion operations targeting organizations across multiple sectors. The group's origin and potential affiliations remain unclear due to limited public documentation from established threat intelligence sources, though their targeting pattern spans both Western nations and Russia, suggesting possible opportunistic rather than geopolitically-motivated operations. Based on available victim data, Warlock has demonstrated capability to compromise organizations across diverse sectors including technology, financial services, telecommunications, and healthcare, with their attack methodology and technical capabilities requiring further analysis by security researchers to establish definitive patterns regarding initial access vectors, encryption methods, or data exfiltration tactics. While the group has accumulated 78 documented victims across the United States, Japan, Russia, Great Britain, and Turkey within their initial months of operation, insufficient public reporting from CISA, FBI, or major security firms exists to detail specific notable campaigns, ransom demands, or high-profile incidents. Given the group's recent emergence in mid-2025, their current operational status and potential evolution remain under observation by the cybersecurity community.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/warlock

Timeline

4 months

2025-06-01T00:00:00+00:002025-11-01T00:00:00+00:00

Top countries

🇺🇸 United States

🇷🇺 Russia

🇯🇵 Japan

🇬🇧 United Kingdom

🇩🇰 Denmark

🇫🇷 France

🇵🇱 Poland

🇮🇳 India

United States dossier →Russia dossier →Japan dossier →United Kingdom dossier →

Top sectors

Technology

Financial Services

Telecommunication

Healthcare

Manufacturing

Agriculture and Food Production

Education

Construction

Technology dossier →Financial Services dossier →Telecommunication dossier →Healthcare dossier →

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known

http://elqfbcx5nofwtqfookqml7ltx2g6q6tmddys6e25vgu3al2meim6cbqd.onion
http://zfytizegsze6uiswodhbaalyy5rawaytv2nzyzdkt3susbewviqqh7yd.onion

Source

Updated 7 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time warlock posts a victim.

Add warlock to your watchlist — Pro pings you within 5 minutes of any new warlock leak-site post, Telegram callout, or affiliate-rebrand inference.