Author(s): Vlad Pasca
- Warlock ransomware was deployed by exploiting the SharePoint vulnerabilities CVE-2025-53770 and CVE-2025-53771
- The malware includes a hostname verification mechanism that excludes designated systems from encryption, indicating self-preservation tactics
- Warlock performs defense evasion by stopping a list of services and processes and removes volume shadow copies
- The ransomware encrypts files using a combination of the ChaCha20 algorithm and Curve25519
Warlock ransomware has been recently found being distributed through newly discovered SharePoint vulnerabilities. This malware represents the latest evolution in ransomware tactics, combining advanced encryption methods with targeted defense evasion techniques.
As a result, we have conducted a comprehensive analysis of Warlock, examining both its initial behavior through sandbox environments and performing detailed static and dynamic analysis of samples in the wild. The findings reveal a methodical attack pattern designed to maximize damage while protecting itself from detection and removal.
The ransomware exploits two critical SharePoint vulnerabilities (CVE-2025-53770 and CVE-2025-53771) as its entry point, then deploys a multi-stage attack that includes terminating security services, removing recovery options, and implementing a hybrid encryption scheme using ChaCha20 and Curve25519 algorithms.
Perhaps most telling is Warlock's self-preservation mechanism—a hostname verification feature that deliberately avoids encrypting certain systems, suggesting a calculated self-preservation approach built by its operators.
A Hybrid Analysis Perspective
As we can see in the Hybrid Analysis report, the ransomware appends its extension to the existing one:
Figure 1 - Warlock ransomware’s extension identified
Figure 2 reveals that the malware is looking to open and possibly stop multiple services related to backup, databases, shadow copies, AntiVirus software, and so on.
Figure 2 - Multiple services are targeted
Hybrid Analysis identifies that the sample implements the ChaCha20 algorithm for encryption using YARA rules (Figure 3).
Figure 3 - ChaCha20 algorithm identified
Figure 4 - CryptoPP library is statically linked
The SHEmptyRecycleBinW API is utilized to empty the Recycle Bin in order to avoid possible file recovery from the location:
Figure 5 - SHEmptyRecycleBinW API call
A Deeper Dive Into Warlock
The process retrieves the command-line arguments and compares them with the following list: “-e” (doesn’t change the extension of the file passed as a parameter), “-n” (doesn’t create the ransom note) and “-p”.
Figure 6 - Command-line arguments retrieval
The threat actor embedded a GUID in the code that will appear in all encrypted files. The ransomware also implements a check (skipping files encryption) for a placeholder that should be a hostname called “replacethiswhitehost”.
Figure 7 - Hard-coded information
The malware hides the current window via a function call to ShowWindow (0x0 = SW_HIDE):
Figure 8 - Malware’s window is hidden
SHEmptyRecycleBinW is used to empty the Recycle Bin on all drives (0x7 = SHERB_NOCONFIRMATION | SHERB_NOPROGRESSUI | SHERB_NOSOUND):
Figure 9 - Empty the Recycle Bin
Warlock mounts all unmounted volumes using the FindFirstVolumeW, FindNextVolumeW, and SetVolumeMountPointW functions.
Figure 10 - Mount all unmounted volumes
Defense Evasion
The ransomware stops a list of services (i.e. AntiVirus, backup, shadow copies) using the ControlService method (0x1 = SERVICE_CONTROL_STOP). The entire list of services can be found in the Appendix.
Figure 11 - Targeted services are stopped
The executable stops a list of processes that might interfere with the encryption. The list of all processes can be found in the Appendix.
Figure 12 - Targeted processes are killed
Volume Shadow Copies Deletion
The ransomware deletes all volume shadow copies by calling the CreateVssBackupComponentsInternal function and then DeleteSnapshots on every shadow copy found (see Figure 13).
Figure 13 - Delete volume shadow copies using COM interface
Encryption of Files
GetDriveTypeW is used to retrieve the drive type, which must be different than 0x1 (DRIVE_NO_ROOT_DIR) and 0x5 (DRIVE_CDROM):
Figure 14 - GetDriveTypeW API call
The following files and directories will not be encrypted by Warlock Ransomware:
Figure 15 - Skipped files and directories
The malware creates multiple threads that will handle the file encryption. Firstly, it appends the “.x2anylock” extension to every file to be encrypted using MoveFileW:
Figure 16 - Append the ransomware’s extension to encrypted files
The ransomware uses Curve25519 (CryptoPP library) and ChaCha20 for encrypting files. It calls BCryptGenRandom to generate 32 random bytes (session private key), computes the 32-byte session public key using Curve25519, and then computes the 32-byte shared secret using the session private key and a hard-coded 32-byte public key. The ChaCha20 key is the SHA256 of the shared secret and the IV is equal to the first 8 bytes from the key. The entire workflow is highlighted in the figure below. The threat actor can recover the shared secret using the session public key that is written to the encrypted file and the secret private key that corresponds to the hard-coded public key.
Figure 17 - Generate the shared secret using Curve25519
Figure 18 - Hard-coded 32-byte public key
The ransomware traverses the directories and encrypts the files using ChaCha20:
Figure 19 - Open targeted file for encryption
Figure 20 - Write encrypted content to the file
A snippet of the ChaCha20 implementation is displayed in Figure 21.
Figure 21 - ChaCha20 algorithm
An example of an encrypted file is displayed below. The footer contains the 32-byte session public key generated before and the hard-coded GUID already mentioned.
Figure 22 - Footer contains the 32-byte session public key and GUID
The ransom note called “How to decrypt my data.txt” is dropped in every encrypted directory (Figure 23).
Figure 23 - Ransom note
Warlock Through the Eyes of Hybrid Analysis
The Hybrid Analysis sandbox report reveals multiple key behavioral indicators of Warlock ransomware's functionality. The analysis identifies the ransomware's unique file extension and confirms its use of the ChaCha20 algorithm for file encryption. A significant indicator of malicious intent is the ransomware's systematic termination of backup and AntiVirus software services. The in-depth technical analysis provides crucial evidence from the dynamic analysis and describes the volume shadow copies deletion process, as well as every step of the complex file encryption workflow.
Hybrid Analysis is a powerful platform for identifying and analyzing malware, whether mundane or highly sophisticated. It provides detailed context and information that can be investigated further during the dynamic analysis of the malware. For performing a more in-depth analysis of malware samples, you can download them by registering with a Hybrid Analysis account and becoming a vetted user.
Indicators of Compromise
SHA256
File created
How to decrypt my data.txt
Appendix
Targeted processes
"sql.exe", "oracle.exe", "ocssd.exe", "dbsnmp.exe", "synctime.exe", "agntsvc.exe", "isqlplussvc.exe", "xfssvccon.exe", "mydesktopservice.exe", "ocautoupds.exe", "encsvc.exe", "firefox.exe", "tbirdconfig.exe", "mydesktopqos.exe", "ocomm.exe", "dbeng50.exe", "sqbcoreservice.exe", "excel.exe", "infopath.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "outlook.exe", "powerpnt.exe", "steam.exe", "thebat.exe", "thunderbird.exe", "visio.exe", "winword.exe", "wordpad.exe", "notepad.exe"
Targeted services
"vss", "sql", "svc$", "memtas", "mepocs", "sophos", "veeam", "backup", "GxVss", "GxBlr", "GxFWD", "GxCVD", "GxCIMgr", "DefWatch", "ccEvtMgr", "ccSetMgr", "SavRoam", "RTVscan", "QBFCService", "QBIDPService", "Intuit.QuickBooks.FCS", "QBCFMonitorService", "YooBackup", "YooIT", "zhudongfangyu", "sophos", "stc_raw_agent", "VSNAPVSS", "VeeamTransportSvc", "VeeamDeploymentService", "VeeamNFSSvc", "veeam", "PDVFSService", "BackupExecVSSProvider", "BackupExecAgentAccelerator", "BackupExecAgentBrowser", "BackupExecDiveciMediaService", "BackupExecJobEngine", "BackupExecManagementService", "BackupExecRPCService", "AcrSch2Svc", "AcronisAgent", "CASAD2DWebSvc", "CAARCUpdateSvc"
