Attackers Weaponize Velociraptor DFIR Tool in Ransomware Campaigns
Cybercriminals are getting creative, and their latest trick involves turning the tables on defenders by weaponizing the very tools meant to protect organizations. Velociraptor, a digital forensics and incident response (DFIR) tool originally developed by Mike Cohen and now under Rapid7, has recently been exploited in a string of ransomware attacks. Threat actors, notably the China-based group Storm-2603, have been leveraging a privilege escalation vulnerability (CVE-2025-6264) in outdated Velociraptor versions to gain deep access to systems, deploy ransomware like LockBit and Babuk, and maintain persistent control—even after defenders attempt to isolate infected hosts. This real-world case highlights how attackers are not just bypassing security but actively using defenders’ own tools against them, raising the stakes for organizations everywhere (BleepingComputer).
Exploitation of Velociraptor in Ransomware Attacks
Vulnerabilities in Velociraptor
The Velociraptor digital forensics and incident response (DFIR) tool, originally created by Mike Cohen and later acquired by Rapid7, has become a target for exploitation by threat actors in ransomware attacks. The attackers have been leveraging an outdated version of Velociraptor (version 0.73.4.0) that is susceptible to a privilege escalation vulnerability identified as CVE-2025-6264. This vulnerability allows attackers to execute arbitrary commands and potentially take over the host system. The exploitation of this vulnerability has been a critical factor in the deployment of ransomware such as LockBit and Babuk by the China-based adversary group tracked as Storm-2603. (BleepingComputer)
Persistence and Remote Access
Once the attackers gain initial access, they install the vulnerable version of Velociraptor to maintain persistence on the compromised systems. This persistence is achieved by repeatedly launching Velociraptor, even after the host has been isolated. Additionally, the attackers use Velociraptor to establish remote access by downloading and executing Visual Studio Code on the compromised hosts. This setup allows them to create a secure communication tunnel with their command and control (C2) infrastructure, facilitating ongoing control and data exfiltration. (BleepingComputer)
Techniques for Evasion and Control
The threat actors employ various techniques to evade detection and maintain control over the compromised systems. They disable Defender real-time protection by modifying Active Directory Group Policy Objects (GPOs) and turn off behavior and file/program activity monitoring. Furthermore, they use Impacket smbexec-style commands to run programs remotely and create scheduled tasks for batch scripts. These actions help the attackers avoid detection by endpoint detection and response (EDR) solutions and maintain their foothold in the network. (BleepingComputer)
Double-Extortion Tactics
In addition to encrypting data, the attackers engage in double-extortion tactics by exfiltrating files before encryption. They use a fileless PowerShell encryptor that generates random AES keys per run for mass encryption on Windows machines. Before encryption, another PowerShell script is used to exfiltrate files, inserting delays between uploading actions with the ‘Start-Sleep’ command to evade sandbox and analysis environments. This approach not only increases the pressure on victims to pay the ransom but also provides the attackers with additional leverage by threatening to release sensitive data. (BleepingComputer)
Indicators of Compromise (IoCs)
Cisco Talos researchers have identified several indicators of compromise (IoCs) associated with these attacks. These IoCs include specific files uploaded by the threat actors to the compromised machines and Velociraptor-related files. By monitoring for these IoCs, organizations can enhance their detection capabilities and respond more effectively to potential threats. The identification of these IoCs is crucial for understanding the tactics, techniques, and procedures (TTPs) used by the attackers and for developing effective countermeasures. (BleepingComputer)
Final Thoughts
The exploitation of Velociraptor in recent ransomware campaigns is a wake-up call for cybersecurity teams and IT administrators alike. Attackers are no longer just exploiting vulnerabilities—they’re hijacking trusted tools to blend in, evade detection, and maximize their leverage through double-extortion tactics. Staying ahead means not only patching known vulnerabilities like CVE-2025-6264 but also monitoring for unusual activity involving legitimate tools, keeping an eye on emerging IoCs, and fostering a culture of vigilance. As threat actors continue to innovate, defenders must adapt quickly, leveraging threat intelligence and proactive monitoring to turn the tide (BleepingComputer).
References
- Cimpanu, C. (2025, October 8). Hackers now use Velociraptor DFIR tool in ransomware attacks. BleepingComputer. https://www.bleepingcomputer.com/news/security/hackers-now-use-velociraptor-dfir-tool-in-ransomware-attacks/
