Microsoft Warns SharePoint Server Hackers Now Deploying Ransomware

In a significant escalation of an ongoing cyber-espionage campaign, Microsoft has revealed that attackers are now deploying ransomware through a vulnerability in its SharePoint server software. The revelation came via a blog post published late Wednesday, wherein the tech giant shared updated threat intelligence and analysis of the cyberattacks.

Hacking Group "Storm-2603" Now Using Ransomware

According to Microsoft, a threat actor identified as “Storm-2603” has begun using the SharePoint vulnerability not only for espionage but also to plant ransomware — a malicious tool that encrypts systems and demands payment in digital currency to restore access.

“Expanded analysis and threat intelligence,” Microsoft said, confirms that the group is using the vulnerability to seed ransomware, which typically works by paralyzing victims’ networks until a digital currency payment is made.

More Than 400 Victims Targeted — A Sharp Rise in Cases

The scale of the campaign has grown rapidly. As per Netherlands-based cybersecurity firm Eye Security, over 400 organizations have been affected — a steep increase from the 100 cases reported just days earlier.

“There are many more, because not all attack vectors have left artifacts that we could scan for,” said Vaisha Bernard, chief hacker at Eye Security.

The campaign appears to go beyond traditional cyber-espionage motives, marking a shift toward potentially more damaging and disruptive ransomware deployment.

🏛️ U.S. Government Agencies Among Confirmed Victims

Although most targeted organizations remain undisclosed, the U.S. National Institutes of Health (NIH) confirmed that one of its servers had been compromised.

“Additional servers were isolated as a precaution,” a NIH representative said.

The news was first reported by The Washington Post. Further reporting by NextGov and Politico suggests that the Department of Homeland Security (DHS) and possibly 5 to 12 other U.S. government agencies may have been breached.

NextGov, citing unnamed sources, reported that DHS had been compromised.
Politico, referencing two U.S. officials, confirmed that multiple agencies were believed to have been impacted.

As of now, CISA, the cyber defense division of DHS, has not issued an official response.

Microsoft’s Patch Failure Behind the Breach

The cyber-espionage campaign originated from a security hole in Microsoft’s SharePoint server software, which had not been completely patched. This led to a scramble among organizations to secure their systems before threat actors could exploit the flaw further.

Both Microsoft and Alphabet, the parent company of Google, have alleged that Chinese cyber attackers are among those taking advantage of the SharePoint vulnerability. However, the Chinese government has rejected any claims of its involvement.

Key Takeaways:

What is Storm-2603?

A cybercriminal group linked with ransomware deployment through Microsoft SharePoint vulnerabilities.

What Systems Are Affected?

Unpatched or partially patched versions of Microsoft SharePoint Server.

Impact So Far:

• 400+ organizations breached (as per Eye Security)

• U.S. agencies including NIH, DHS, and others possibly compromised

• Ransomware now added to the attack tools

• Potential attribution to Chinese hacker groups (alleged by Microsoft and Alphabet)

Conclusion

Microsoft’s confirmation of ransomware attacks in a campaign initially rooted in cyber-espionage raises urgent alarms. The rapid growth in the number of affected organizations — from 100 to over 400 — underscores the widespread nature of the threat. With confirmed breaches in critical U.S. agencies and warnings of further vulnerabilities, the incident highlights a critical need for robust cybersecurity practices, timely patch updates, and international cooperation. As the line between state-sponsored spying and financially motivated cybercrime blurs, the consequences for both public and private sectors could be far-reaching.