In a blog post, the company said large databases and email servers appeared to be the targets for encryption.
The attacks appeared to have started early this month. Analysis of the malware showed similarities with the LockerGoga, Freezing and EDA2 educational ransomware kit, with more similarities to the last named than the previous two.
Trend Micro said it was unaware of the vector used by ColdLock.
"From this point, they were able to set Group Policies that led to the ransomware file being downloaded and run onto machines within the affected domain."
There was no indication as to whether ColdLock first downloads a victim's files before encrypting them and issuing a ransom note.
The ColdLock payload arrives as a ,NET executable (as a .DLL file) and uses PowerShell reflective loading to run this file.
One notable feature was that the executable would run only if the time was at, or after, 12.10pm on the victim's system.
Given its targets, ColdLock shut down any database or email server processes (mariadb, msexchangels, mssql, mysql, oracleservice) before getting down to encryption.
"Ransomware continues to be a lingering threat, something we mentioned in our last Annual Security Roundup after seeing that the number of ransomware cases we detected climbed from 55 million in 2018 to 61 million in 2019," Trend Micro said.
"Cases like these are more dangerous, as threats that compromise enterprise systems allow for much easier propagation within enterprise networks."