This ransomware goes by many names. The most ubiquitous name is PartyTicket ransomware, but it also goes by Elections GoRansom, SonicVote, or HermeticRansom. It was first discovered by researchers from ESET the day before Vladimir Putin announced his "special military operation" in Ukraine alongside HermeticWiper, a file wiper, and HermeticWizard, a worm. This trio of malware is speculated to have fomented chaos within Ukraine, preempting the physical conflict. A tangible example of hybrid warfare (physical + cyber).
The "Hermetic" name is derived from the certificate embedded within the HermeticWiper payload that was stolen from a Cyprus-based company named Hermetica Digital LTD. Researchers suggest that PartyTicket was created as a decoy for HermeticWiper because it was poorly written and implemented. It uses AES-GCM encryption to encrypt files and a 2,048-bit RSA key to encrypt the AES key. However, a flaw in the encryption implementation allows researchers to extract the key successfully and, thus, create a decryptor. Another implementation flaw is when the file encryption algorithm invokes a process for every encrypted file, making the system run poorly. Due to it being a decoy and being a rushed implementation, this ransomware is labeled as a wiper because there is no intention of receiving a ransom, only destruction.
| Industry Sector | Country | Extortion Date | Amount (USD) |
|---|---|---|---|
| Government | Ukraine |