Warlock, a new ransomware gang, today claimed credit for a spate of cyber attacks that hit several government agencies from around the world.
The group claimed responsibility for 16 cyber attacks in the past month, and about half those hit government agencies and departments. Four of the attacks have been acknowledged by the targeted organizations, three of which were government entities:
- Entidade Reguladora dos Serviços de Água e Resíduos (ERSAR), a water and waste service authority in Portugal, was hit by an attack on March 31, 2025
- Nacionalni centar za vanjsko vrednovanje obrazovanja (NCVVO), a government education agency in Croatia, noted technical difficulties after an attack on March 30, 2025
- Bilgi Teknolojileri ve Haberleşme Kurumu, Turkey’s information technology and communication authority, was hit by an attack on March 28, 2025
Those agencies all reported data breaches or cyber attacks that coincide with Warlock’s attack claims, which are listed on the group’s data leak site.
The group’s attacks aren’t limited to government. The group took credit for a recent attack on Nippon Life India Asset Management, a publicly owned financial asset manager that shut its app and website down after an April 2025 attack. Warlock also claims to have hacked Unilever, but that attack has not been acknowledged by the company. Warlock lists five manufacturers, a tech company, and a construction firm among its unconfirmed claims.
Who is Warlock?
Also known as Warlock Dark Army, Warlock is a newer ransomware strain operated by cybercriminals. Once infected, Warlock encrypts data to make it inaccessible, then demands a ransom for the decryption key. It also steals data that it can use to extort targets by threatening to release private information.
Warlock could be connected to another ransomware group called Black Basta, which stopped claiming new attacks in January 2025. Warlock took credit for two attacks that Black Basta previously claimed against Arch-Con Corporation and Lactanet.
Ransomware attacks on government
Comparitech researchers have tracked 79 confirmed ransomware attacks on government entities worldwide in 2025 to date. In 2024, we logged 199 such attacks in total. The average ransom demand is just over $2.4 million.
This month, we recorded confirmed ransomware attacks on:
- Durant, Oklahoma, USA
- Prefeitura de São José do Rio Preto, Brazil
- Senior Courts of Belize (High Court Registry)
- British Horseracing Authority (BHA), UK
No ransomware gang has taken credit for any of these attacks yet.
Ransomware attacks on government agencies and departments can both steal data and lock down computer systems. The attacker then demands a ransom to delete the stolen data and in exchange for a key to recover infected systems. If the target doesn’t pay, it could take weeks or even months to restore systems, data could be lost forever, and people whose data was stolen are put at greater risk of fraud.
