Velociraptor Misused: LockBit Ransomware & Storm-2603 Weaponize DFIR Tools in 2025 Attacks
Executive Summary
In October 2025, cybersecurity researchers uncovered that threat actors associated with Storm-2603 (also known as Gold Salem or CL-CRI-1040) leveraged Velociraptor, a legitimate open-source digital forensics and incident response (DFIR) tool, to facilitate a series of LockBit ransomware attacks. Adversaries exploited Velociraptor’s capabilities to gather intelligence and move laterally within target environments, evading detection by blending in with regular security operations. The attacks led to significant data encryption events and operational disruptions, primarily impacting organizations with insufficient internal security segmentation and monitoring.
This incident marks a significant evolution in attacker tradecraft, as it demonstrates that widely trusted security tools—often present for defensive use—can be repurposed as offensive weapons. Increased regulatory scrutiny and the recurrent rise of double extortion ransomware attacks highlight the urgent need for organizations to monitor tool usage and improve east-west visibility.
Why This Matters Now
The abuse of legitimate DFIR tools like Velociraptor in active ransomware campaigns presents a new challenge for defenders, making traditional detection methods insufficient. As adversaries adopt trusted utilities for malicious purposes, it becomes critical for security teams to tighten controls around tool usage, implement real-time traffic monitoring, and enforce zero trust segmentation.
Attack Path Analysis
The attackers initially gained access to cloud or hybrid infrastructure, likely via credential compromise or known vulnerabilities. Post-compromise, they escalated privileges to gain administrative control and deployed the Velociraptor DFIR tool for surveillance and data collection. Using authorized tooling, they moved laterally across internal networks and cloud workloads to maximize environment control. The adversaries established ongoing command and control channels, blending traffic with legitimate management flows to evade detection. Sensitive data and credentials were exfiltrated prior to detonating ransomware payloads. The attack culminated in the deployment of LockBit or similar ransomware, leading to data encryption and operational disruption.
Kill Chain Progression
Initial Compromise
Description
Attackers likely used credential compromise or exploited public-facing vulnerabilities to gain entry into the cloud or hybrid environment.
Related CVEs
CVE-2025-6264
CVSS 9.8A privilege escalation vulnerability in Velociraptor version 0.73.4.0 allows arbitrary command execution and complete endpoint takeover.
Affected Products:
Velocidex Innovations Velociraptor – 0.73.4.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
System Binary Proxy Execution
System Services
Ingress Tool Transfer
Modify Registry
Data Encrypted for Impact
Valid Accounts
Remote Services
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Monitor and Log All Access to System Components and Cardholder Data
Control ID: 10.1.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management
Control ID: Art. 6(1)
CISA ZTMM 2.0 – Comprehensive Monitoring of Tools and Administrative Actions
Control ID: Monitoring & Visibility
NIS2 Directive – Incident Handling and Response
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer/Network Security
LockBit ransomware actors weaponizing Velociraptor DFIR tool creates ironic threat where cybersecurity firms' own forensic tools become attack vectors against their infrastructure.
Financial Services
Storm-2603's abuse of legitimate security tools bypasses traditional detection, threatening financial institutions' incident response capabilities and compliance with PCI and NIST frameworks.
Health Care / Life Sciences
Healthcare organizations face dual risk from ransomware deployment and compromised forensic capabilities, violating HIPAA requirements while disrupting critical patient care systems.
Government Administration
Government agencies using Velociraptor for incident response become vulnerable to weaponized versions, compromising national security infrastructure and classified data protection measures.
Sources
- Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attackshttps://thehackernews.com/2025/10/hackers-turn-velociraptor-dfir-tool.htmlVerified
- Velociraptor DFIR Tool Used in Ransomware Attackshttps://areteir.com/article/velociraptor-dfir-tool-used-in-ransomware-attacks/Verified
- Velociraptor Forensic Tool Used to Deploy LockBit and Babuk Ransomwarehttps://hackmag.com/news/velociraptor-attacksVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust Segmentation, microsegmentation, encrypted traffic enforcement, egress policy controls, and threat detection would have significantly restricted attacker movement, contained the spread of malicious activity, and provided rapid detection. These controls are crucial for preventing unauthorized lateral movement, exfiltration, and the spread of ransomware throughout cloud and hybrid environments.
Control: Cloud Firewall (ACF)
Mitigation: Blocked unauthorized inbound access and known bad payloads at the perimeter.
Control: Multicloud Visibility & Control
Mitigation: Detected abnormal privilege usage through centralized visibility and alerting.
Control: Zero Trust Segmentation
Mitigation: Restricted unauthorized east-west traffic between workloads and services.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked encrypted or unauthorized outbound C2 communication.
Control: Encrypted Traffic (HPE)
Mitigation: Detected or blocked unapproved data exfiltration attempts.
Provided rapid detection and response to anomalous behavior indicative of mass encryption.
Impact at a Glance
Affected Business Functions
- IT Operations
- Data Management
- Customer Services
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive customer and operational data due to system compromise.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation to tightly control east-west workload communications and block lateral movement by default.
- • Implement robust egress policy enforcement to monitor and restrict outbound traffic, disrupting command and control and exfiltration channels.
- • Deploy centralized, multi-cloud visibility with real-time anomaly detection to rapidly identify suspicious privilege escalation and remote tool abuse.
- • Utilize encrypted traffic inspection for all internal and external flows to detect unauthorized or covert data transfers.
- • Continuously update cloud firewall and inline IPS policies to block known threats and ensure least-privilege network access throughout the environment.
