Microsoft Confirms Ransomware Used in SharePoint Server Exploits

In a late Wednesday blog post, Microsoft revealed that hackers exploiting vulnerable versions of its SharePoint server software have now escalated their activities to include ransomware deployment. The shift signals a concerning evolution in the attack campaign that originally focused on cyber-espionage.

Microsoft stated that based on “expanded analysis and threat intelligence,” the group — identified as Storm-2603 — is using the SharePoint vulnerability to deploy ransomware, a malicious software that “typically works by paralyzing victims’ networks until a digital currency payment is made.”

This represents a significant escalation in terms of impact, as ransomware attacks can cause widespread disruption and financial loss across various sectors.

Impact: Over 400 Organizations Targeted

Sharp Spike in Victim Count

According to Netherlands-based cybersecurity firm Eye Security, the campaign has already affected at least 400 organizations, a steep rise from the 100 initially identified over the weekend.

“There are many more, because not all attack vectors have left artifacts that we could scan for,” explained Vaisha Bernard, Chief Hacker at Eye Security.

The firm was among the earliest to flag the breaches, indicating that the actual number of affected entities may be significantly higher than currently reported.

High-Profile Government Agencies Also Breached

National Institutes of Health Confirms Breach

A representative from the National Institutes of Health (NIH) confirmed that one of its servers had been compromised, though “additional servers were isolated as a precaution.”
The confirmation followed a report by The Washington Post, highlighting the serious implications for U.S. federal institutions.

Other Agencies in the Crosshairs

• NextGov, citing unnamed sources, reported that the Department of Homeland Security (DHS) was also targeted, along with five to twelve additional U.S. agencies.

• Politico, referencing two U.S. officials, echoed the claim, saying “multiple agencies were believed to have been breached.”

Meanwhile, CISA (Cybersecurity and Infrastructure Security Agency), which is the primary federal body responsible for defending against such attacks, has not yet commented on the breaches.

Microsoft’s Security Oversight and the Role of Nation-State Actors

A Critical Flaw Left Unpatched

The cyber campaign began when Microsoft failed to fully patch a vulnerability in its SharePoint server software, allowing threat actors to exploit the weakness before effective countermeasures could be implemented.

China-Linked Hackers Accused

Both Microsoft and Alphabet (Google’s parent company) have pointed fingers at Chinese hackers, stating that they are among those “taking advantage of the flaw.”
However, Beijing has denied the claim, continuing to dismiss allegations of cyberattacks on foreign entities.

Ransomware: A Shift from Espionage to Disruption

Why This Matters

While many state-backed hacking campaigns are traditionally focused on stealing sensitive data, the use of ransomware represents a shift toward disruptive attacks that can cripple essential services and demand financial ransom.

This development indicates that state-aligned or opportunistic criminal groups may be combining espionage with financially motivated cybercrimes — blurring the lines between political and monetary objectives in cyberspace.

Conclusion

The evolution of this SharePoint vulnerability exploitation from cyber-espionage to full-scale ransomware attacks underscores the growing complexity and scale of modern cyber threats. With over 400 organizations potentially compromised — including key U.S. government agencies like NIH and DHS — the implications are vast.
Microsoft’s disclosure, alongside the continued investigation by firms like Eye Security, raises urgent questions about the security posture of widely used enterprise systems and the speed of patch rollouts.
As threat actors grow more aggressive, timely coordination between software vendors, cybersecurity agencies, and global governments will be critical to defend against such rapidly evolving cyber risks.