Ransomware groups are now targeting Microsoft SharePoint—a platform trusted by more than 190 million users worldwide for collaboration and document management. It’s the latest development in a growing wave of cyberattacks targeting known vulnerabilities in the system.
Recent reports suggest the scale of the attacks is far worse than initially thought. What started as an estimated 100 compromised organizations has now escalated to more than 400—among them a high-profile target: the U.S. National Nuclear Security Administration, which oversees the country’s nuclear weapons program.
Microsoft has attributed the attacks, first detected July 27, to multiple Chinese-linked threat actors, including Linen Typhoon, Violet Typhoon, and Storm-2603. The majority of the affected organizations are U.S.-based.
Other high-profile organizations that have been victims include the Department of Education, Florida’s Department of Revenue, the Rhode Island General Assembly, and government networks in Europe and the Middle East.
According to Microsoft, Storm-2603 exploited vulnerabilities in on-premises SharePoint servers to steal cryptographic MachineKeys. These keys can allow attackers to install malicious software—including ransomware or backdoor programs—on compromised servers.
Although Microsoft has since released patches for the exploited flaws, the company confirmed that attackers began deploying ransomware using these vulnerabilities as early as July 18, 2025. The cost to affected organizations could reach millions, not only in direct financial loss but also in reputational damage and regulatory consequences.
Microsoft announced in its report:
“Microsoft tracks this threat actor in association with attempts to steal MachineKeys using the on-premises SharePoint vulnerabilities… Storm-2603 is actively using these vulnerabilities to deploy ransomware.”
This incident underscores a critical lesson for organizations of all sizes: patch management is not optional. Unpatched systems offer a direct line to core infrastructure and sensitive data, creating an open invitation for cybercriminals.
Immediate Actions Organizations Should Take:
- Audit SharePoint environments and apply any outstanding patches.
- Reevaluate identity and access management protocols, especially where cryptographic keys are stored.
- Monitor for signs of unauthorized access, including the installation of backdoor programs that could enable future breaches.
The window between vulnerability discovery and exploit is shrinking. Identity theft and ransomware actors are working faster and targeting more sophisticated systems. Staying ahead requires more than reactive patching—it demands a proactive, continuous approach to cybersecurity.
At Enfortra, we help organizations safeguard their data by monitoring for vulnerabilities, securing personally identifiable information (PII), and staying one step ahead of evolving threats like Storm-2603. Reach out to learn how we can help you fortify your defenses.
