{
  "name": "A Deep Dive Into Warlock Ransomware Deployed Via ToolShell SharePoint Chained Vulnerabilities",
  "slug": "a-deep-dive-into-warlock-ransomware-deployed-via-toolshell-sharepoint-chained-vulnerabilities",
  "description": "Warlock ransomware, exploiting SharePoint vulnerabilities CVE-2025-53770 and CVE-2025-53771, represents an advanced threat combining sophisticated encryption methods with targeted defense evasion techniques. The malware employs a multi-stage attack, terminating security services, removing recovery options, and implementing a hybrid encryption scheme using ChaCha20 and Curve25519 algorithms. Notably, it includes a hostname verification feature to avoid encrypting certain systems, suggesting a calculated self-preservation approach. The ransomware mounts all unmounted volumes, stops specific services and processes, deletes volume shadow copies, and encrypts files using a complex workflow involving Curve25519 and ChaCha20. It targets various file types while avoiding specific directories and appends the '.x2anylock' extension to encrypted files.",
  "published": "2025-10-30T17:04:31+00:00",
  "created_at": "2025-10-30T17:04:31+00:00",
  "modified_at": "2025-10-30T21:18:38+00:00",
  "created_at_opencti": "2025-10-30T17:04:31+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-10-30",
    "CVE-2025-53770",
    "CVE-2025-53771",
    "chacha20",
    "curve25519",
    "defense evasion",
    "encryption",
    "ransomware",
    "sharepoint",
    "volume shadow copies",
    "vulnerabilities",
    "warlock"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "d1f9ace720d863fd174753e89b9e889d2e2f71a287fde66158bb2b5752307474"
      }
    ],
    "attack_patterns": [
      {
        "id": "1eef7f88-3992-4add-899e-a7cc9fcdd5b3",
        "name": "T1569.002"
      },
      {
        "id": "195d9773-4de3-4f61-b94d-a2b53cb65608",
        "name": "T1021.001"
      },
      {
        "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f",
        "name": "T1490"
      },
      {
        "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7",
        "name": "T1018"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      }
    ]
  },
  "external_refs": [
    "https://hybrid-analysis.blogspot.com/2025/10/a-deep-dive-into-warlock-ransomware.html",
    "https://otx.alienvault.com/pulse/6903a8af20970717cd5d2a0a"
  ]
}