{
	"id": "0e0a827d-b660-4fad-8e65-f80f2715a392",
	"created_at": "2026-04-06T01:30:25.153185Z",
	"updated_at": "2026-04-10T03:21:30.468717Z",
	"deleted_at": null,
	"sha1_hash": "1e2f906a7bd741ad6aeebd5cd102a6e01ac7e0a5",
	"title": "How to Decrypt the PartyTicket Ransomware Targeting Ukraine | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 301750,
	"plain_text": "How to Decrypt the PartyTicket Ransomware Targeting Ukraine |\r\nCrowdStrike\r\nBy CrowdStrike Intelligence Team\r\nArchived: 2026-04-06 00:52:31 UTC\r\nSummary\r\nOn Feb. 23, 2022, destructive attacks were conducted against Ukrainian entities. Industry reporting has claimed\r\nthe Go-based ransomware dubbed PartyTicket (or HermeticRansom) was identified at several organizations\r\naffected by the attack,1 among other families including a sophisticated wiper CrowdStrike Intelligence tracks as\r\nDriveSlayer (HermeticWiper).\r\nAnalysis of the PartyTicket ransomware indicates it superficially encrypts files and does not properly initialize the\r\nencryption key, making the encrypted file with the associated .encryptedJB extension recoverable.\r\nTechnical Analysis\r\nA PartyTicket ransomware sample has a SHA256 hash of\r\n4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 . It has been observed associated with\r\nthe file names cdir.exe , cname.exe , connh.exe and intpub.exe .\r\nThe ransomware sample — written using Go version 1.10.1 — contains many symbols that reference the U.S.\r\npolitical system, including voteFor403 , C:/projects/403forBiden/wHiteHousE and\r\nprimaryElectionProcess .\r\nThe ransomware iterates over all drive letters and recursively enumerates the files in each drive and its subfolders,\r\nexcluding file paths that contain the strings Windows and Program Files and the folder path C:\\Documents and\r\nSettings (the latter folder was replaced in Windows versions later than Windows XP with C:\\Users ). Files with\r\nthe following extensions are selected for encryption:\r\nacl, avi, bat, bmp, cab, cfg, chm, cmd, com, contact, crt, css, dat, dip, dll, doc, docx, dot,\r\nencryptedjb , epub, exe, gif, htm, html, ico, in, iso, jpeg, jpg, mp3, msi, odt, one, ova, pdf, pgsql,\r\npng, ppt, pptx, pub, rar, rtf, sfx, sql, txt, url, vdi, vsd, wma, wmv, wtv, xls, xlsx, xml, xps, zip\r\nFor each file path that passes the previously described path and extension checks, the ransomware copies an\r\ninstance of itself to the same directory it was executed from and executes via the command line, passing the file\r\npath as an argument. The parent ransomware process names its clones with a random UUID generated by a public\r\nlibrary2 that uses the current timestamp and MAC addresses of the infected host’s network adapters. The malware\r\ndeveloper attempted to use Go’s WaitGroup types to implement concurrency; however, due to a likely coding\r\nerror, the ransomware creates a very large number of threads (one per enumerated file path) and copies its own\r\nhttps://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/\r\nPage 1 of 7\n\nbinary into the current directory as many times as there are selected files. After all encryption threads have ended,\r\nthe original binary deletes itself via the command line.\r\nWhen the sample receives a file path as an argument, it encrypts the file using AES in Galois/Counter Mode\r\n(GCM). The AES key is generated using the Go rand package’s Intn function to select offsets in the character\r\narray 1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ , generating a 32-byte key. Due to another likely coding error, the\r\nseed for the Intn function is updated after the key is generated, meaning the same AES key is generated each\r\ntime the binary and its clones are run. All of the files encrypted on a host are encrypted with the same key, and\r\nknowledge of the corresponding PartyTicket sample’s key enables their decryption. A script using this flaw to\r\nrecover the encrypted files is available on the CrowdStrike Git Repository.\r\nFor each file, the AES encryption key is itself encrypted with RSA-OAEP, using a public RSA key that has the\r\nfollowing parameters:\r\nModulus (N): 0xcbb94cb189a638b51e7cfe161cd92edb7145ecbd93989e78c94f8c15c61829286fd834d80c931daed4ac4aba14835fd3\r\nExponent (E): 0x10001\r\nBefore encryption, the ransomware renames the file using the format \u003coriginal file name\u003e.com\u003e.encryptedJB\r\n(“JB” very likely stands for the initials of the United States president Joseph Biden, given the other political\r\ncontent in the binary). The ransomware then overwrites the content with the encrypted data. PartyTicket will only\r\nencrypt the first 9437184 bytes (9.44 MB) of a file. If the file passed as an argument is larger than this limit, any\r\ndata above it is left unencrypted. After the file contents are encrypted, PartyTicket appends the RSA-encrypted\r\nAES key at the end of the file.\r\nThe ransomware also writes an HTML ransom note on the user’s desktop directory with the name read_me.html\r\nbefore the file encryption starts (Figure 1). Unless they are intentional mistakes, grammar constructs within the\r\nnote suggest it was likely not written or proofread by a fluent English speaker.\r\nhttps://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/\r\nPage 2 of 7\n\nFigure\r\n1. Ransom note\r\nAssessment\r\nCrowdStrike Intelligence does not attribute the PartyTicket activity to a named adversary at the time of writing.\r\nThe ransomware contains implementation errors, making its encryption breakable and slow. This flaw suggests\r\nthat the malware author was either inexperienced writing in Go or invested limited efforts in testing the malware,\r\npossibly because the available development time was limited. In particular, PartyTicket is not as advanced as\r\nDriveSlayer, which implements low-level NTFS parsing logic. The relative immaturity and political messaging of\r\nthe ransomware, the deployment timing and the targeting of Ukrainian entities are consistent with its use as an\r\nadditional payload alongside DriveSlayer activity, rather than as a legitimate ransomware extortion attempt.\r\nYARA Signatures\r\nThe following YARA rule can be used to detect PartyTicket:\r\nrule CrowdStrike_PartyTicket_01 : ransomware golang\r\n{\r\n meta:\r\n copyright = \"(c) 2022 CrowdStrike Inc.\"\r\n description = \"Detects Golang-based crypter\"\r\n version = \"202202250130\"\r\n last_modified = \"2022-02-25\"\r\n strings:\r\n $ = \".encryptedJB\" ascii\r\n $start = { ff 20 47 6f 20 62 75 69 6c 64 20 49 44 3a 20 22 }\r\nhttps://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/\r\nPage 3 of 7\n\n$end = { 0a 20 ff }\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\n for 1 of ($end) : ( @start \u003c @ and @start + 1024 \u003e @) and\r\n all of them\r\n}\r\nrule CrowdStrike_PartyTicket_02 : PartyTicket golang\r\n{\r\n meta:\r\n copyright = \"(c) 2022 CrowdStrike Inc.\"\r\n description = \"Detects Golang-based PartyTicket ransomware\"\r\n version = \"202202250130\"\r\n last_modified = \"2022-02-25\"\r\n strings:\r\n $s1 = \"voteFor403\"\r\n $s2 = \"highWay60\"\r\n $s3 = \"randomiseDuration\"\r\n $s4 = \"subscribeNewPartyMember\"\r\n $s5 = \"primaryElectionProces\"\r\n $s6 = \"baggageGatherings\"\r\n $s7 = \"getBoo\"\r\n $s8 = \"selfElect\"\r\n $s9 = \"wHiteHousE\"\r\n $s10 = \"encryptedJB\"\r\n $goid = { ff 20 47 6f 20 62 75 69 6c 64 20 49 44 3a 20 22 71 62 30 48 37 41 64 57 41 59 44 7a 66 4d 41 3\r\n $pdb = \"C://projects//403forBiden//wHiteHousE\"\r\n condition:\r\n (uint32(0) == 0x464c457f or (uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550)) and 4 of ($s*) or\r\n}\r\nScript to Decrypt PartyTicket Encrypted Files\r\nDue to the previously discussed implementation errors in the AES key generation, it is possible to recover the AES\r\nkey used for encryption by PartyTicket. The below Go script decrypts files encrypted by PartyTicket sample\r\n4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 . The script takes the file to be decrypted\r\nas an argument via the “-p” flag and saves the decrypted output to “decrypted.bin” in the same directory. The\r\nscript can be built as an executable or run via the Go run package; it was tested using Go version go1.16.6.\r\npackage main\r\n \r\nimport (\r\n\"crypto/aes\"\r\n\"crypto/cipher\"\r\n\"encoding/hex\"\r\n\"fmt\"\r\nhttps://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/\r\nPage 4 of 7\n\n\"os\"\r\n\"flag\"\r\n)\r\n \r\nfunc main() {\r\n \r\nencrypted_filepath := flag.String(\"p\", \"encrypted.bin\", \"Path to encrypted file\")\r\nflag.Parse()\r\n \r\nfmt.Printf(\"Decrypting file : %s\\n\", *encrypted_filepath)\r\nkey_bytes := \u003c\u003ebyte(\"6FBBD7P95OE8UT5QRTTEBIWAR88S74DO\")\r\nkey := hex.EncodeToString(key_bytes)\r\nfmt.Printf(\"Decryption key : %s\\n\", key_bytes)\r\n \r\ndat, err := os.ReadFile(*encrypted_filepath)\r\nif err != nil {\r\nfmt.Println(\"Unable to open file, please supply path of encrypted file with flag -p, default f\r\nos.Exit(3)\r\n}\r\n \r\ndecrypted_filepath := \"decrypted.bin\"\r\nfilecontents := dat\r\nencrypted_contents := filecontents\u003c:len(filecontents) - 288\u003e\r\nenc_size := len(encrypted_contents)\r\nbsize := 1048604\r\ncycles := enc_size / bsize\r\n \r\nif cycles == 0{\r\n \r\nencrypted := hex.EncodeToString(encrypted_contents)\r\ndecrypted := decrypt(encrypted, key)\r\nwrite_output(decrypted_filepath, decrypted)\r\n} else {\r\nfor i:=0; i\u003ccycles; i++ { if i \u003e= 9 {\r\nstart := 9 * bsize\r\nend := enc_size\r\ndata := string(encrypted_contents)\r\nwrite_output(decrypted_filepath, data)\r\nbreak\r\n}\r\nblock_start := i * bsize\r\nblock_end := (i+1) * bsize\r\nif block_end \u003e enc_size{\r\nblock_end := enc_size\r\nencrypted:=hex.EncodeToString(encrypted_contents)\r\ndecrypted := decrypt(encrypted, key)\r\nwrite_output(decrypted_filepath, decrypted)\r\nhttps://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/\r\nPage 5 of 7\n\n}\r\n \r\nencrypted:=hex.EncodeToString(encrypted_contents)\r\ndecrypted := decrypt(encrypted, key)\r\nwrite_output(decrypted_filepath, decrypted)\r\n}\r\n}\r\n \r\nfmt.Printf(\"Decrypted file written to : %s\\n\", decrypted_filepath)\r\n \r\n}\r\n \r\nfunc write_output(filepath string, data string) {\r\nf, err := os.OpenFile(filepath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)\r\nif err != nil {\r\npanic(err)\r\n}\r\nbyte_data := \u003c\u003ebyte(data)\r\nf.Write(byte_data)\r\nf.Close()\r\n}\r\n \r\nfunc decrypt(encryptedString string, keyString string) (decryptedString string) {\r\n \r\nkey, _ := hex.DecodeString(keyString)\r\nenc, _ := hex.DecodeString(encryptedString)\r\n \r\nblock, err := aes.NewCipher(key)\r\nif err != nil {\r\npanic(err.Error())\r\n}\r\naesGCM, err := cipher.NewGCM(block)\r\nif err != nil {\r\npanic(err.Error())\r\n}\r\nnonceSize := aesGCM.NonceSize()\r\nnonce, ciphertext := enc\u003c:nonceSize\u003e, enc\r\nplaintext, err := aesGCM.Open(nil, nonce, ciphertext, nil)\r\nif err != nil {\r\npanic(err.Error())\r\n}\r\n \r\nreturn fmt.Sprintf(\"%s\", plaintext)\r\n}\r\nhttps://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/\r\nPage 6 of 7\n\nEndnotes\r\n1. https\u003c:\u003e//symantec-enterprise-blogs.security\u003c.\u003ecom/blogs/threat-intelligence/ukraine-wiper-malware-russia\r\n2. https\u003c:\u003e//pkg.go.dev/github\u003c.\u003ecom/satori/go.uuid#NewV1\r\nAdditional Resources\r\nRead more about use of offensive cyber operations against Ukraine: Lessons Learned From Successive\r\nUse of Offensive Cyber Operations Against Ukraine and What May Be Next.\r\nLearn how CrowdStrike Falcon® provides continuous protection against DriveSlayer and wiper-style\r\nthreats: CrowdStrike Falcon® Protects from New Wiper Malware Used in Ukraine Cyberattacks\r\nRead about WhisperGate in this CrowdStrike Intelligence blog: Technical Analysis of the WhisperGate\r\nMalicious Bootloader.\r\nLearn about the powerful, cloud-native CrowdStrike Falcon® platform by visiting the product webpage.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent to see for yourself how true next-gen AV\r\nperforms against today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/\r\nhttps://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/\r\nPage 7 of 7\n\nstrings: $ = \".encryptedJB\" ascii   \n$start = { ff 20 47 6f 20 62 75 69 6c 64 20 49 44 3a 20 22 }\n   Page 3 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/"
	],
	"report_names": [
		"how-to-decrypt-the-partyticket-ransomware-targeting-ukraine"
	],
	"threat_actors": [],
	"ts_created_at": 1775439025,
	"ts_updated_at": 1775791290,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e2f906a7bd741ad6aeebd5cd102a6e01ac7e0a5.pdf",
		"text": "https://archive.orkl.eu/1e2f906a7bd741ad6aeebd5cd102a6e01ac7e0a5.txt",
		"img": "https://archive.orkl.eu/1e2f906a7bd741ad6aeebd5cd102a6e01ac7e0a5.jpg"
	}
}