A Deep Dive Into Warlock Ransomware Deployed Via ToolShell SharePoint Chained Vulnerabilities

Oct. 30, 2025, 10:18 p.m.

Description

Warlock ransomware, exploiting SharePoint vulnerabilities CVE-2025-53770 and CVE-2025-53771, represents an advanced threat combining sophisticated encryption methods with targeted defense evasion techniques. The malware employs a multi-stage attack, terminating security services, removing recovery options, and implementing a hybrid encryption scheme using ChaCha20 and Curve25519 algorithms. Notably, it includes a hostname verification feature to avoid encrypting certain systems, suggesting a calculated self-preservation approach. The ransomware mounts all unmounted volumes, stops specific services and processes, deletes volume shadow copies, and encrypts files using a complex workflow involving Curve25519 and ChaCha20. It targets various file types while avoiding specific directories and appends the '.x2anylock' extension to encrypted files.

External References

https://hybrid-analysis.blogspot.com/2025/10/a-deep-dive-into-warlock-ransomware.html
https://otx.alienvault.com/pulse/6903a8af20970717cd5d2a0a
Tags
ransomware
encryption
chacha20
defense evasion
sharepoint
vulnerabilities
CVE-2025-53770
CVE-2025-53771
warlock
curve25519
2025-10-30
volume shadow copies

Date

  • Created: Oct. 30, 2025, 6:04 p.m.
  • Published: Oct. 30, 2025, 6:04 p.m.
  • Modified: Oct. 30, 2025, 10:18 p.m.

Indicators

  • d1f9ace720d863fd174753e89b9e889d2e2f71a287fde66158bb2b5752307474
Download all indicators here!

Attack Patterns