{
	"id": "bce1b624-8203-44f9-a207-5e59dc953d20",
	"created_at": "2026-04-06T00:19:14.270484Z",
	"updated_at": "2026-04-10T13:12:19.988399Z",
	"deleted_at": null,
	"sha1_hash": "38188d4fbdde3a49912f1d1f9603d3eaf0781beb",
	"title": "Elections GoRansom – a smoke screen for the HermeticWiper attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 520076,
	"plain_text": "Elections GoRansom – a smoke screen for the HermeticWiper\r\nattack\r\nBy GReAT\r\nPublished: 2022-03-01 · Archived: 2026-04-05 23:20:41 UTC\r\nExecutive summary\r\nOn February 24, 2022, Avast Threat Research published a tweet announcing the discovery of new Golang\r\nransomware, which they called HermeticRansom. This malware was found around the same time the\r\nHermeticWiper was found, and based on publicly available information from security community it was used in\r\nrecent cyberattacks in Ukraine. The new ransomware was likely used as a smokescreen for the HermeticWiper\r\nattack due to its non-sophisticated style and poor implementation.\r\nIn this report, we present our analysis of HermeticRansom, which we also call Elections GoRansom.\r\nOur findings in a nutshell:\r\nElections GoRansom (aka HermeticRansom) was used to target assets on the same day as HermeticWiper;\r\nThe developers used a sarcastic function-naming scheme related to US presidential elections;\r\nThe malware does not use any kind of obfuscation and has pretty straightforward functionality, suggesting\r\nit was created in a short amount of time.\r\nHermeticRansom’ technical analysis\r\nThe malware is created in Golang and uses no anti-analysis components as string encryption, function names\r\nstripping, etc. After execution, it creates an ID which is later used as the key from the array of Latin alphabet\r\ncharacters and numbers using a standard Golang rand function:\r\nhttps://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/\r\nPage 1 of 7\n\nID key generation routine\r\nThen the malware identifies hard drives present on the infected system and collects a list of directories and files,\r\nexcluding the Windows and Program Files folders.\r\nFolder profiling\r\nAfter that, the ransomware note is created as a “read_me .html” file and dropped to the user’s Desktop folder. The\r\nnote contains the victim ID and the actor’s contact emails on the ProtonMail domain; emails are hard-coded as\r\nseen below:\r\nhttps://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/\r\nPage 2 of 7\n\nRansomware note in HTML format\r\nThe malware utilizes a strange ineffective encryption workflow – it creates a copies of the initial sample and runs\r\nthem as separate processes for each file encrypted; copy names are generated using Golang GUID library\r\nfunctions.\r\nhttps://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/\r\nPage 3 of 7\n\nSelf-copies made by HermeticRansom\r\nTo encrypt victims’ data, HermeticRansom relies on a list of hard-coded files types, as follows:\r\nhttps://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/\r\nPage 4 of 7\n\nList of hardcoded file extensions to encrypt\r\nFiles are encrypted using the AES algorithm with the generated key. Then the AES key is encrypted with RSA-OAEP. OAEP is parameterized with a hash function that is used as a random oracle. The hashing function is SHA-256. The RSA public key is hard-coded as a base64 blob. After decoding the key in JSON format, it is converted\r\nto a byte array:\r\nHardcoded encryption public key\r\nOnce files are encrypted, HermeticRansom appends a “.encryptedJB” extension to each. Also the ProtonMail\r\nemail address is appended to the filename:\r\nhttps://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/\r\nPage 5 of 7\n\nEncrypted files with the new extension\r\nThe malware structures and methods are named in a sarcastic manner related to US presidential elections.\r\nUnstripped function names\r\nHermeticRansom’ attribution\r\nGiven the circumstances under which HermeticRansom appeared, including the date, time and victims’ geo-locations, we have moderate confidence it is connected with HermeticWiper’s general objectives – destroying or\r\notherwise making Windows systems unusable due to data loss.\r\nConclusions\r\nHermeticRansom is an excellent example of a targeted attack preventing victims from using their data while also\r\npotentially acting as a smokescreen for further attacks. The simplicity of the code, along with the grammar and\r\nhttps://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/\r\nPage 6 of 7\n\nspelling errors left in the ransom note, probably indicate that it was a last-minute operation, potentially deployed\r\nto boost the effectiveness of other cyber-attacks on Ukraine.\r\nIndicators of compromise\r\nHermeticRansom MD5\r\nd5d2c4ac6c724cd63b69ca054713e278\r\nSource: https://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/\r\nhttps://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/"
	],
	"report_names": [
		"105960"
	],
	"threat_actors": [],
	"ts_created_at": 1775434754,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/38188d4fbdde3a49912f1d1f9603d3eaf0781beb.pdf",
		"text": "https://archive.orkl.eu/38188d4fbdde3a49912f1d1f9603d3eaf0781beb.txt",
		"img": "https://archive.orkl.eu/38188d4fbdde3a49912f1d1f9603d3eaf0781beb.jpg"
	}
}