{
	"id": "556ffbf2-2639-4429-b7ab-e3f2f5b9bc28",
	"created_at": "2026-04-06T01:32:26.241635Z",
	"updated_at": "2026-04-10T03:21:16.662039Z",
	"deleted_at": null,
	"sha1_hash": "40144b8739a3e74f4a094c0bb1d443b2c8dcd0ab",
	"title": "Free HermeticRansom Ransomware Decryptor Released",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 307756,
	"plain_text": "Free HermeticRansom Ransomware Decryptor Released\r\nBy Lisa Vaas\r\nPublished: 2022-03-04 · Archived: 2026-04-06 00:59:27 UTC\r\nCruddy cryptography means victims whose files have been encrypted by the Ukraine-tormenting ransomware can\r\nbreak the chains without paying extortionists.\r\nA free decryptor is out to unlock a ransomware found piggybacking on the HermeticWiper data wiper malware\r\nthat ESET and Broadcom’s Symantec discovered targeting machines at financial, defense, aviation and IT services\r\noutfits in Ukraine, Lithuania and Latvia last week.\r\nThe fact that there was ransomware clinging to the data-wiping malware didn’t surprise cybersecurity experts, of\r\ncourse. It was predicted by Katie Nickels, director of intel at Red Canary, for one: She tweeted that there was very\r\nlikely a “broader intrusion chain.”\r\nWhat might have been a bit more surprising was the welcome discovery, made by CrowdStrike’s Intelligence\r\nTeam earlier this week, that HermeticRansom had a lame encryption process that let the ransomware’s tentacles be\r\nuntangled.\r\nAvast Threat Labs had spotted the new ransomware strain last Thursday, Feb. 24. Avast, which named the new\r\nstrain HermeticRansom, on Thursday released a free decryptor that incorporated a decryption script CrowdStrike\r\nreleased to GitHub, a user-friendly GUI and a set of instructions on its use.\r\nThe decryptor can be downloaded here.\r\nCrypto Likely Weakened by Coding Errors\r\nHermeticRansom, aka PartyTicket, was identified at several victimized organizations, among other malware\r\nfamilies that included what CrowdStrike called the “sophisticated” HermeticWiper, aka DriveSlayer.\r\nRegardless of how sophisticated the wiper malware was, the ransomware that hopped a ride on it had less-than-stellar encryption, with a logic flaw in the encryption process that enabled researchers to break through,\r\nCrowdStrike said: “Analysis of the [PartyTicket/HermeticRansom] ransomware indicates it superficially encrypts\r\nfiles and does not properly initialize the encryption key, making the encrypted file with the associated\r\n.encryptedJB extension recoverable.”\r\nAt the time it published its report, CrowdStrike hadn’t traced the ransomware to a known threat actor. It didn’t\r\nquite seem like a serious attempt at ransomware, at any rate, researchers said, given the coding errors that made its\r\nencryption “breakable and slow.”\r\nhttps://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/\r\nPage 1 of 3\n\nEither the malware author was unfamiliar with writing in Go or rushed its development without thoroughly testing\r\nit, analysts surmised.\r\nEither way, it looked to analysts as if extortion wasn’t the primary aim: “The relative immaturity and political\r\nmessaging of the ransomware, the deployment timing and the targeting of Ukrainian entities are consistent with its\r\nuse as an additional payload alongside DriveSlayer activity, rather than as a legitimate ransomware extortion\r\nattempt,” they wrote.\r\nBelow is a screen capture of HermeticRansom’s extortion note:\r\nHermeticRansom ransomware demand note. Source: CrowdStrike Intelligence Team.\r\nHermeticWiper History\r\nHermeticWiper, discovered last week, has been used against hundreds of machines in Ukraine – attacks that\r\nfollowed distributed denial-of-service (DDoS) attacks launched against Ukraine websites on Feb. 23.\r\nOne of the HermeticWiper malware samples was compiled back on Dec. 28, pointing to the wiper attacks having\r\nbeen readied two months before Russia’s military assault.\r\nHermeticWiper was only one of an onslaught of cyberattacks and malware that have been unleashed prior to and\r\nduring the crisis, including the novel FoxBlade trojan, a wave of pre-invasion DDoS attacks in mid-February, plus\r\nanother campaign of wiper attacks targeting Ukraine and aimed at eroding trust in January – just a few of an\r\nongoing barrage of cyberattacks in the cyber warzone.\r\nhttps://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/\r\nPage 2 of 3\n\nRegister Today for Log4j Exploit: Lessons Learned and Risk Reduction Best Practices – a LIVE Threatpost\r\nevent sked for Thurs., March 10 at 2PM ET. Join Sonatype code expert Justin Young as he helps you sharpen\r\ncode-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into\r\nsoftware supply-chain security. Register Now for this one-time FREE event, Sponsored by Sonatype.\r\nSource: https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/\r\nhttps://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/"
	],
	"report_names": [
		"178762"
	],
	"threat_actors": [],
	"ts_created_at": 1775439146,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/40144b8739a3e74f4a094c0bb1d443b2c8dcd0ab.pdf",
		"text": "https://archive.orkl.eu/40144b8739a3e74f4a094c0bb1d443b2c8dcd0ab.txt",
		"img": "https://archive.orkl.eu/40144b8739a3e74f4a094c0bb1d443b2c8dcd0ab.jpg"
	}
}