VERY IMPORTANT

Warlock ransomware, exploiting SharePoint vulnerabilities CVE-2025-53770 and CVE-2025-53771, represents an advanced threat combining sophisticated encryption methods with targeted defense evasion techniques. The malware employs a multi-stage attack, terminating security services, removing recovery options, and implementing a hybrid encryption scheme using ChaCha20 and Curve25519 algorithms. Notably, it includes a hostname verification feature to avoid encrypting certain systems, suggesting a calculated self-preservation approach. The ransomware mounts all unmounted volumes, stops specific services and processes, deletes volume shadow copies, and encrypts files using a complex workflow involving Curve25519 and ChaCha20. It targets various file types while avoiding specific directories and appends the '.x2anylock' extension to encrypted files.