Security researchers have discovered that the Velociraptor digital forensics and incident response (DFIR) tool — originally designed to help cybersecurity professionals investigate attacks — is now being repurposed by threat actors to conduct ransomware operations.
In a recent report, experts revealed that LockBit, one of the world’s most active ransomware groups, and a new actor known as Warlock, have started using Velociraptor for post-compromise reconnaissance, lateral movement, and data exfiltration.
This development highlights a worrying trend: attackers are turning legitimate cybersecurity tools into stealthy weapons.
What Is Velociraptor?
Velociraptor is an open-source forensics and monitoring framework widely used by security teams to collect endpoint data, analyze incidents, and respond to breaches in real time.
It’s valued for being lightweight, fast, and highly customizable — allowing analysts to query systems using the Velociraptor Query Language (VQL).
Ironically, those same strengths are what make it appealing to attackers.
How Hackers Are Abusing Velociraptor
According to researchers, the attackers aren’t exploiting vulnerabilities in Velociraptor itself.
Instead, they’re installing and configuring it manually after gaining initial access through phishing, credential theft, or remote services.
Once inside, the attackers use Velociraptor to:
- Harvest sensitive files and credentials from infected machines
- Monitor network activity to identify valuable systems
- Move laterally between endpoints without triggering alarms
- Deploy ransomware payloads with administrator-level control
Since Velociraptor uses encrypted communication and legitimate process execution, its activity often blends in with normal IT operations — making detection difficult.
The LockBit and Warlock Connection
Security intelligence analysts found several similarities in recent campaigns run by LockBit and Warlock, both known for targeting enterprise networks and demanding high ransom payments.
The use of Velociraptor provides these groups with:
- Advanced situational awareness inside compromised networks
- Reduced reliance on custom malware, lowering their detection footprint
- Built-in persistence, as Velociraptor can automatically relaunch on reboot
Researchers believe this marks a strategic evolution in ransomware operations — one where open-source tools replace traditional malware in the early stages of attacks.
Why This Tactic Is So Effective
Most antivirus and EDR systems are trained to detect malicious binaries or known indicators of compromise.
But when attackers use legitimate open-source software, it complicates detection.
Velociraptor traffic looks normal to most security monitoring tools, especially if it’s configured to use HTTPS encryption.
This allows attackers to operate quietly, collect data, and prepare ransomware deployment without alerting defenders.
Defensive Recommendations
For Security Teams:
- Audit the use of Velociraptor or similar tools across your environment.
- If your organization doesn’t use it, any installation is suspicious.
- Implement allowlisting for administrative software and utilities.
- Monitor for unusual command-line arguments associated with Velociraptor (
-vql,-artifact, etc.). - Inspect outbound HTTPS traffic for patterns associated with unauthorized Velociraptor servers.
- Use behavioral EDR rules rather than static signatures.
For Organizations:
- Maintain strict credential management — many infections begin with stolen passwords.
- Segment networks so that one compromised endpoint cannot reach critical assets.
- Train staff to recognize phishing and social engineering attempts.
Expert Insight
According to ThreatLab researcher Lucas Morgan,
“Velociraptor itself isn’t malicious. The danger lies in how easily it can be customized by anyone — defenders or attackers alike. What we’re seeing now is a tool built for defense being re-engineered for offense.”
The Bigger Picture
This isn’t the first time legitimate tools have been misused. Attackers have previously weaponized PowerShell, PsExec, and even Microsoft’s Sysinternals suite to move undetected inside networks.
But the rise of Velociraptor in ransomware operations demonstrates a broader shift toward “living-off-the-land” attacks, where adversaries rely on trusted utilities rather than bespoke malware.
It’s a reminder that defensive software can easily become offensive when placed in the wrong hands.
