{
	"id": "006bcf78-35e2-4e7f-b91e-11772177d82e",
	"created_at": "2026-04-06T00:16:01.547503Z",
	"updated_at": "2026-04-10T13:13:07.637059Z",
	"deleted_at": null,
	"sha1_hash": "a103561527f0a1eb985b8c7a86b7ede0a64d7b19",
	"title": "Ransomed by Warlock Dark Army “OFFICIALS”",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1307304,
	"plain_text": "Ransomed by Warlock Dark Army “OFFICIALS”\r\nPublished: 2023-02-02 · Archived: 2026-04-05 12:35:00 UTC\r\nRecently we came across a tweet shared by petikvx. The tweet was on a ransomware family that had the group\r\nname similar to the WARLOCK DARK ARMY. The similarities with Chaos ransomware seem to end with the\r\nattacker group’s name. Upon analyzing the ransomware from the tweet we suspect both to be very different groups\r\njust based on their malware’s attributes.\r\nThe sample under consideration was compiled using C/C++, in case of Chaos ransomware it is usually .Net.\r\nStatically looking at the file we noticed a resource entry under Bitmap with an identifier “14”, while analyzing the\r\nfile code we noticed that this resource was read and loaded on to the memory. Hence we decided to dump that\r\nresource entry.\r\nFigure 1: Encrypted blob in resource section\r\nFigure 2 : Loading blob into the memory\r\nDuring our code analysis we found this blob was XOR encrypted. The first 16 bytes of this blob acts as the key for\r\nXOR decryption and the rest is the data which plays a key role in this ransomware’s infection/encryption\r\nhttps://labs.k7computing.com/index.php/ransomed-by-warlock-dark-army-officials/\r\nPage 1 of 10\n\nmechanism. Shown below is the code that does the mentioned activity.\r\nFigure 3 : Xor decryption in memory\r\nhttps://labs.k7computing.com/index.php/ransomed-by-warlock-dark-army-officials/\r\nPage 2 of 10\n\nFigure 4: Decrypting with the XOR key using CyberChef \r\nWe used CyberChef to decrypt the data from the resource blob. Shown below is the decrypted content of the blob.\r\nhttps://labs.k7computing.com/index.php/ransomed-by-warlock-dark-army-officials/\r\nPage 3 of 10\n\nhttps://labs.k7computing.com/index.php/ransomed-by-warlock-dark-army-officials/\r\nPage 4 of 10\n\nFigure 5: Decrypted resource\r\nAt first glance it is evident that this data blob contains information that is used during the ransomware encryption\r\nprocess, like list of extensions to look for and the ransom note etc. Here the first DWORD which is highlighted in\r\nBLUE denotes the size of the data block that follows, which are relevant extensions to look for encryption. The\r\nDWORD is little endian, denoting that this block is 0x198 bytes.\r\nAt the end of this block of data is another DWORD, highlighted green, which has the size of the next block of\r\ndata holding the ransom note or the content of the readme text (0x238 is the number in little endian). The next\r\nDWORD highlighted red represents the extension of the files after encryption, which is\r\n“.warlockdarkarmyofficials”.\r\nAfter 0x10 bytes there is a value 01. If 01 is present then the below HKCR entries are written to the Windows\r\nRegistry. The ransomware sets an entry under HKCR with the key name “KRKKHCRAPPRJISH”, highlighted\r\norange. There are Shell-\u003eopen-\u003ecommand entries under this key which defaults to the malware’s self-copy\r\nlocation. Mostly done to set default icons for specific file types.\r\nFigure 6 : Compare DWord to set persistence\r\nhttps://labs.k7computing.com/index.php/ransomed-by-warlock-dark-army-officials/\r\nPage 5 of 10\n\nFigure 7: HKCR Shell-\u003eopen-\u003ecommand entries\r\nThe DWORD highlighted in purple denotes the number of bytes to skip when the malware starts to encrypt a file,\r\n0x66 bytes in this case.\r\nFigure 8 : Self copy\r\nAfter execution it copies itself with the filename of “Nygi26XApwVsKic” to the temp folder.\r\nFigure 9: View of a file before and after encryption\r\nIt then sets persistence via the run registry.\r\nhttps://labs.k7computing.com/index.php/ransomed-by-warlock-dark-army-officials/\r\nPage 6 of 10\n\nFigure 10 : Run registry \r\nThe algorithm used in this malware is “Tiny encryption algorithm”. This is one key difference between Chaos\r\nand this ransomware, Chaos uses AES.\r\nFigure 11 : Encryption code \r\nAfter the encryption of all the files, it leaves a ransom message as shown below:\r\nhttps://labs.k7computing.com/index.php/ransomed-by-warlock-dark-army-officials/\r\nPage 7 of 10\n\nFigure 12 : Ransom note\r\nIn the above message the actors have not mentioned any cryptocurrency wallet’s address for making the ransom\r\npayment, they have however mentioned a Telegram channel for the payment and decryption, it goes without\r\nsaying that one should not attempt to pay up the ransom to get the files back.\r\nhttps://labs.k7computing.com/index.php/ransomed-by-warlock-dark-army-officials/\r\nPage 8 of 10\n\nFigure 13 : Telegram channel\r\nThis Telegram channel also acts as a marketplace for malware distribution, apart from being used as the payment\r\nchannel.\r\nThis group had their social media pages in Facebook and Instagram as well, but were taken down. Shown below is\r\nthe Facebook page of Warlock Dark Army, one can note the identical profile pictures though (Ref. Telegram group\r\nprofile pic and Facebook profile pic). The similarities are only in the naming and the images, but based on the\r\nTTPs we can say that both are unrelated.\r\nhttps://labs.k7computing.com/index.php/ransomed-by-warlock-dark-army-officials/\r\nPage 9 of 10\n\nFigure 14: Facebook page of Warlock Dark Army\r\nWe at K7 labs provide detection against such threats. Users are advised to use a reliable security product such as\r\n“K7 Total Security” and keep it up-to-date so as to safeguard their devices.\r\nIOCs\r\nHash : f0979d897155f51fd96a63c61e05d85c\r\nDetection name : Ransomware ( 005451b81 )\r\nSource: https://labs.k7computing.com/index.php/ransomed-by-warlock-dark-army-officials/\r\nhttps://labs.k7computing.com/index.php/ransomed-by-warlock-dark-army-officials/\r\nPage 10 of 10\n\n  https://labs.k7computing.com/index.php/ransomed-by-warlock-dark-army-officials/  \nmechanism. Shown below is the code that does the mentioned activity.\nFigure 3 : Xor decryption in memory  \n   Page 2 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.k7computing.com/index.php/ransomed-by-warlock-dark-army-officials/"
	],
	"report_names": [
		"ransomed-by-warlock-dark-army-officials"
	],
	"threat_actors": [],
	"ts_created_at": 1775434561,
	"ts_updated_at": 1775826787,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a103561527f0a1eb985b8c7a86b7ede0a64d7b19.pdf",
		"text": "https://archive.orkl.eu/a103561527f0a1eb985b8c7a86b7ede0a64d7b19.txt",
		"img": "https://archive.orkl.eu/a103561527f0a1eb985b8c7a86b7ede0a64d7b19.jpg"
	}
}