padlock

Avast has released a decryptor for the HermeticRansom ransomware strain used in targeted attacks against Ukrainian systems over the past ten days.

The decryptor is offered as a free-to-download tool from Avast's website and can help Ukrainians restore their data quickly and reliably.

The first signs of HermeticRansom's distribution were observed by ESET researchers on February 23, mere hours before the invasion of Russian troops unfolded in Ukraine.

A weak decoy

The ransomware strain was delivered along with a computer worm named HermeticWizard and served more as a decoy in wiper attacks rather than a tool to support financial extortion. Still, its infections have disrupted vital Ukrainian systems.

Crowdstrike was quick to spot a weakness in the cryptographic schema of the GO-written strain and offered a script to decrypt the files encrypted by HermeticRansom (aka PartyTicket).

"The ransomware contains implementation errors, making its encryption breakable and slow. This flaw suggests that the malware author was either inexperienced writing in Go or invested limited efforts in testing the malware, possibly because the available development time was limited," explains Crowdstrike in a new blog post released on Tuesday.

As BleepingComputer explained on Twitter, the HermeticRansom contains numerous politically oriented string names in the ransomware binary, ransom note, and contact emails (vote2024forjb@protonmail.com and stephanie.jones2024@protonmail.com).

HermeticRansom was never meant to serve as a modern ransomware strain that would lay the ground for double extortion, inflicting financial and reputational damage.

Still a danger

The above doesn't mean that HermeticRansom infections don't impact the targeted machines.

On the contrary, this strain can still encrypt valuable files outside the Program Files and Windows folders, using an RSA-2048 key.

The ransom note seen by the victims has a typical form and content, asking them to contact a ProtonMail address to acquire a decryptor.

HermeticRansom/PartyLocker ransom note
HermeticRansom/PartyTicket ransom note

New decryptor recovers files

Although Crowdstrike's script is reliable, it's not easy for everyone to use it in this situation. To make it easier, Avast has released a GUI decryptor that makes it easier to decrypt files encrypted by HermeticRansom.

Also, the tool offers the option to backup the encrypted files to avoid ending up with irreversibly corrupted files if something goes wrong with the encryption process.

Avast's graphical decryptor
Avast's graphical decryptor

For a step-by-step guide on how to use the decryptor, you can start from here.

Related Articles:

Microsoft patches Windows zero-day exploited in attacks on Ukraine

New ShrinkLocker ransomware decryptor recovers BitLocker password

Attacks on Citrix NetScaler systems linked to ransomware actor

New Ymir ransomware partners with RustyStealer in attacks

Halliburton reports $35 million loss after ransomware attack