A Deep Dive Into Warlock Ransomware Deployed Via ToolShell SharePoint Chained Vulnerabilities
Essential information
- Published
- 30/10/2025 18:04
- Modified
- 30/10/2025 22:18
- Tags
- 2025-10-30 CVE-2025-53770 CVE-2025-53771 chacha20 curve25519 defense evasion encryption ransomware sharepoint volume shadow copies vulnerabilities warlock
- Related entities
- 1 observables, 16 techniques (mitre)
Description
Warlock ransomware, exploiting SharePoint vulnerabilities CVE-2025-53770 and CVE-2025-53771, represents an advanced threat combining sophisticated encryption methods with targeted defense evasion techniques. The malware employs a multi-stage attack, terminating security services, removing recovery options, and implementing a hybrid encryption scheme using ChaCha20 and Curve25519 algorithms. Notably, it includes a hostname verification feature to avoid encrypting certain systems, suggesting a calculated self-preservation approach. The ransomware mounts all unmounted volumes, stops specific services and processes, deletes volume shadow copies, and encrypts files using a complex workflow involving Curve25519 and ChaCha20. It targets various file types while avoiding specific directories and appends the '.x2anylock' extension to encrypted files.