Ransomware - PartyTicket

PartyTicket
Aliases
Elections GoRansom
HermeticRansom
SonicVote
Decryptor Available
Yes
Description

This ransomware goes by many names. The most ubiquitous name is PartyTicket ransomware, but it also goes by Elections GoRansom, SonicVote, or HermeticRansom. It was first discovered by researchers from ESET the day before Vladimir Putin announced his "special military operation" in Ukraine alongside HermeticWiper, a file wiper, and HermeticWizard, a worm. This trio of malware is speculated to have fomented chaos within Ukraine, preempting the physical conflict. A tangible example of hybrid warfare (physical + cyber).

The "Hermetic" name is derived from the certificate embedded within the HermeticWiper payload that was stolen from a Cyprus-based company named Hermetica Digital LTD. Researchers suggest that PartyTicket was created as a decoy for HermeticWiper because it was poorly written and implemented. It uses AES-GCM encryption to encrypt files and a 2,048-bit RSA key to encrypt the AES key. However, a flaw in the encryption implementation allows researchers to extract the key successfully and, thus, create a decryptor. Another implementation flaw is when the file encryption algorithm invokes a process for every encrypted file, making the system run poorly. Due to it being a decoy and being a rushed implementation, this ransomware is labeled as a wiper because there is no intention of receiving a ransom, only destruction.

Ransomware Type
Wiper
Country of Origin
Russia
First Seen
Last Seen
Threat Actors
Typ
Actor
APT
SunflowerSeed
Extortion Types
Pseudo-Extortion
Communication
Mittel
Bezeichner
Email
Encryption
Type
Hybrid
Files
AES-GCM
Key
RSA-OAEP-2048
File Extension
<file name>.[[email protected]].encryptedJB
Ransom Note Name
read_me.html
Ransom Note Image
Samples (SHA-256)
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382
Known Victims
Industry Sector Land Extortion Date Amount (USD)
GovernmentUkraine