Ransomware escalates Microsoft SharePoint cyberattack, hundreds of organisations impacted

A cyber-espionage campaign targeting outdated Microsoft SharePoint server software has taken a new and dangerous turn. Microsoft has confirmed that the hacking group known as “Storm-2603” is now deploying ransomware through the same vulnerability, adding a destructive layer to what was previously a spying operation.

In a blog post published late Wednesday, Microsoft said its expanded analysis revealed that the group behind the attacks has shifted its strategy. “Storm-2603” is now leveraging the SharePoint flaw to plant ransomware, which locks networks and demands cryptocurrency payments to restore access.

The campaign has already affected at least 400 known organisations, according to Dutch cybersecurity firm Eye Security, which was among the first to detect the breach. “There are many more, because not all attack vectors have left artefacts that we could scan for,” said Vaisha Bernard, chief hacker at Eye Security. The number is a steep increase from the 100 victims initially reported over the weekend.

Unlike typical state-sponsored attacks that focus on espionage, the deployment of ransomware signals a more aggressive and disruptive intent. Victims now include not just private organisations but also key US government institutions.

A spokesperson for the National Institutes of Health confirmed on Wednesday that one of its servers had been compromised. “Additional servers were isolated as a precaution,” the representative said. The breach was initially reported by The Washington Post.

Further reports suggest a much broader impact. NextGov and Politico have reported that multiple federal agencies, including the Department of Homeland Security, may have been compromised in the campaign. DHS’ cybersecurity unit, CISA, has not yet commented on the breach.

The attack wave began after Microsoft failed to completely patch a known security flaw in its SharePoint server software, which triggered a rush among IT administrators worldwide to close the loophole. Microsoft has yet to issue more details about the scope of the ransomware threat or confirm the identities of all affected organisations.

Both Microsoft and Alphabet, the parent company of Google, have previously attributed the campaign to Chinese state-backed hackers. The Chinese government has denied involvement.