216.73.217.80

A Deep Dive Into Warlock Ransomware Deployed Via ToolShell SharePoint Chained Vulnerabilities

· Published 30/10/2025 18:04 · Modified 30/10/2025 22:18

Export JSON

Essential information

Published
30/10/2025 18:04
Modified
30/10/2025 22:18
Tags
2025-10-30 CVE-2025-53770 CVE-2025-53771 chacha20 curve25519 defense evasion encryption ransomware sharepoint volume shadow copies vulnerabilities warlock
Related entities
1 observables, 16 techniques (mitre)

Description

, exploiting and , represents an advanced threat combining sophisticated methods with targeted techniques. The malware employs a multi-stage attack, terminating security services, removing recovery options, and implementing a hybrid scheme using and algorithms. Notably, it includes a hostname verification feature to avoid encrypting certain systems, suggesting a calculated self-preservation approach. The mounts all unmounted volumes, stops specific services and processes, deletes , and encrypts files using a complex workflow involving and . It targets various file types while avoiding specific directories and appends the '.x2anylock' extension to encrypted files.

External references