A cyber-espionage campaign targeting outdated versions of Microsoft’s SharePoint server software has taken a more dangerous turn, with hackers now using the vulnerability to deploy ransomware, the company revealed in a blog post late Wednesday.

Microsoft identified the threat actor as “Storm-2603,” a group previously linked to cyber-espionage but now shifting tactics to include ransomware—a form of malware that locks victims out of their systems until a ransom is paid, typically in cryptocurrency.

The escalation suggests that the attackers are moving beyond traditional state-sponsored spying operations and into disruptive cybercrime, raising alarm across public and private sectors.

Number of Victims Grows Rapidly

According to Netherlands-based cybersecurity firm Eye Security, the number of known victims has surged to at least 400, a significant jump from the 100 reported just days earlier. The true scale may be much larger.

“We believe the actual number of affected organizations is far higher,” said Vaisha Bernard, chief hacker at Eye Security. “Not all attack vectors leave visible traces, making detection more challenging.”

U.S. Government Agencies Among Victims

Among the confirmed victims is the National Institutes of Health (NIH). A spokesperson acknowledged that at least one of their servers had been breached and said additional systems had been isolated as a precaution. The incident was first reported by The Washington Post.

Other media reports, including from NextGov and Politico, indicate the breach may have affected multiple U.S. government agencies, including the Department of Homeland Security (DHS) and potentially 5 to 12 more federal departments.

The Cybersecurity and Infrastructure Security Agency (CISA), the cyber defense arm of DHS, has yet to comment on the reports.

Vulnerability Exploited Due to Incomplete Patch

The ongoing attacks stem from a vulnerability in Microsoft’s SharePoint server software that was not fully patched, allowing threat actors to exploit a gap in security. The breach has triggered a widespread response to secure compromised systems and close the loophole.

Microsoft and Google parent company Alphabet have both attributed aspects of the campaign to Chinese-linked hacking groups, though China has denied any involvement.

A Dangerous Shift in Tactics

While cyber-espionage typically involves data theft or surveillance, the introduction of ransomware could cause broader operational disruption, particularly if critical infrastructure or sensitive systems are affected.

Microsoft has not released a full list of impacted organizations nor elaborated on the nature of the ransomware now being used. The company did, however, emphasize the need for organizations to apply all available patches and monitor systems for suspicious activity.

As the situation evolves, cybersecurity experts warn that the campaign is far from over—and that organizations using outdated or unpatched software are especially vulnerable to both espionage and extortion attacks.