- WarLock-linked ransomware disrupted Colt’s internal support systems, spotlighting telecom risk.
- PipeMagic backdoor masquerades as a ChatGPT app and abuses a CLFS zero-day to deploy ransomware.
- Crypto24 blends LOLBins, remote tools, and anti-EDR tactics to move laterally and exfiltrate data.
- Retail trends: encryption rates fall, extortion-only grows, ransom demands surge while recovery costs drop.
From real-world breaches to conference stages and policy labs, the conversation has moved beyond simple payload blocking to stopping lateral movement, safeguarding backups, and making timely decisions under pressure. The latest developments around WarLock, PipeMagic, and Crypto24 illustrate how quickly the ground is moving under defenders’ feet.
Telecom under fire: WarLock’s strike on Colt
U.K.-based Colt reported a ransomware incident claimed by the WarLock operation, leading the company to take portions of its business support systems offline as a precaution. Customers faced interruptions to support portals and voice APIs while restoration efforts proceeded.
Colt said the attack was identified on an internal system that is separate from customer infrastructure, and that it implemented immediate protective steps and notified authorities. The company emphasized that network monitoring continued, though staff were working “more manually” until automated capabilities were restored.
WarLock has been tracked as an emerging ransomware operation with some reports describing it as a RaaS and others as a variant; observed activity has included opportunistic targeting and interest in software collaboration platforms, with telecom providers squarely in scope.
Zero-day bait and switch: PipeMagic and a fake ChatGPT app
Microsoft detailed a modular backdoor dubbed PipeMagic, tied to a threat actor it tracks as Storm-2460. The group has lured victims with a doctored desktop application purporting to be ChatGPT, which decrypts and launches an embedded payload before privilege escalation and ransomware deployment.
The exploitation centers on CVE-2025-29824 in the Windows CLFS driver, a component with a long history of interest to ransomware crews and as a zero-day privilege escalation vector. Researchers observed targeting across IT, financial, and real estate sectors in the U.S., Europe, South America, and the Middle East.
Third-party analyses complement Microsoft’s findings: Kaspersky reported overlaps with RansomExx operations, while Symantec previously noted Play ransomware actors exploiting the same CLFS zero-day. The takeaway is straightforward: backdoors + zero-day privilege escalation is a potent path to fast encryption and extortion.
Detection is hampered by PipeMagic’s modular design and stealth, which blends with legitimate activity until late in the intrusion chain. This underscores the value of early-stage signals such as suspicious installer behavior, anomalous CLFS driver activity, and unexpected remote tooling.
Tradecraft in focus: how Crypto24 blends in and breaks out
Reporting on the Crypto24 campaign shows operators leaning on “living off the land” to avoid tripping conventional alarms. PsExec, AnyDesk, Group Policy utilities, and Windows LOLBins provide mobility without obvious malware markers.
Once inside, teams prioritize mapping, persistence, and data theft prior to any overt ransomware detonation. Exfiltration shifts the balance of power, giving attackers leverage even if encryption is blocked or rolled back.
The lesson for defenders is pragmatic: ensure agent self-protection, harden privilege paths, and watch for unusual use of built-in utilities that suggest lateral movement rather than routine IT work.
What the numbers say: ransomware trends in retail
A new study of 361 retail organizations hit by ransomware highlights both progress and pivoting by adversaries. Exploited vulnerabilities remained the top technical root cause in 30% of cases, while unknown security gaps (46%) and limited expertise (45%) were leading organizational factors.
Encryption success rates dropped to a five-year low (48%) while “pre-encryption” disruptions by defenders hit a high. Attackers responded by tripling extortion-only incidents in retail, from 2% in 2023 to 6% in 2025.
Ransom economics are shifting: the median demand doubled to $2M year-over-year, yet the median payment climbed just 5% to $1M. The average recovery cost, excluding ransom, fell 40% to $1.65M, suggesting maturing response and restoration processes.
The human impact remains severe, with reported stress, leadership pressure, and staff absences following encryption events. That toll reinforces the value of prevention, readiness drills, and clear decision playbooks before an incident hits.
AI is changing the tempo
Even today’s human-led operations bypass mature stacks with troubling regularity, exploiting gaps between products and processes. As AI begins orchestrating intrusion chains, that gap could widen unless defenders push detection earlier and speed up response.
Purpose-built capabilities that spot the precursors — initial access, privilege abuse, lateral movement, and tamper attempts — are increasingly essential to blunt attacks before encryption or mass exfiltration.
Policy and resilience: paying, banning, and the middle ground
Academic research is surfacing the “extortionality” dilemma: paying may speed recovery for one victim but fuels the broader crime economy. The calculus depends on the value at risk, the nature of demands, and sector-specific stakes.
Blanket ransom bans can backfire in critical services like healthcare, where downtime endangers lives. Some experts suggest calibrated approaches: potential fines or taxes on payments, targeted exemptions for critical infrastructure, and stronger incentives for robust backups and recovery drills.
Resilience is the pressure valve: frequent, verified offline backups and practiced restorations reduce the odds a payment feels “necessary,” while clearer policies and rehearsed decision trees keep crisis choices aligned with long-term risk reduction.
The defender’s playbook: practical steps that move the needle
A few fundamentals consistently blunt ransomware campaigns when implemented thoroughly and audited often. The focus is on removing easy paths, catching lateral movement early, and sustaining visibility even under adversary pressure.
- Regularly audit and restrict privileged accounts; disable unused default admin accounts.
- Limit RDP and remote tool usage (e.g., PsExec, AnyDesk) to approved systems; enforce MFA and review firewall rules.
- Detect and investigate unusual use of built-in Windows utilities and third-party remote access tools.
- Enable anti-tamper/self-protection on security agents; monitor for uninstall or bypass attempts.
- Continuously inspect new scheduled tasks/services and registry changes for persistence.
- Watch for sensitive file access anomalies and atypical outbound traffic indicating exfiltration.
- Maintain regular, offline backups; verify restoration speed and integrity with drills.
- Ensure every system, especially admin workstations and servers, has full agent coverage and monitoring.
- Adopt Zero Trust principles: least privilege, continuous verification, and segmented access.
- Train users against phishing and credential theft; exercise an incident response plan frequently.
Pair these controls with rapid investigation and containment so that when an alert fires, isolation and remediation can proceed at machine speed, not meeting speed.
Across telecom, retail, and the broader enterprise landscape, the through line is clear: attackers are blending stealth, speed, and leverage to increase pressure, while defenders who push detection earlier, harden the basics, and rehearse recovery are steadily reducing impact and costs.
