{ "id": "34b67c59-7f91-49e7-a89e-9a90039a4613", "created_at": "2026-04-06T01:30:00.744846Z", "updated_at": "2026-04-10T13:12:07.941326Z", "deleted_at": null, "sha1_hash": "6e2747202cff01eeb80c44c377accc224d356fa1", "title": "CrowdStrike cracks PartyTicket ransomware targeting Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 499048, "plain_text": "CrowdStrike cracks PartyTicket ransomware targeting Ukraine\r\nBy Arielle Waldman\r\nPublished: 2022-03-02 · Archived: 2026-04-06 00:46:54 UTC\r\nBy\r\nArielle Waldman, Features Writer, Dark Reading\r\nPublished: 02 Mar 2022\r\nWhile a new ransomware strain was used in \"destructive attacks\" that targeted Ukrainian organizations hours\r\nbefore the Russian invasion, CrowdStrike determined it is decryptable.\r\nOn Feb. 23, antimalware vendor ESET uncovered a new data-wiping malware it dubbed HermeticWiper used in a\r\ncampaign hours after a series of DDoS attacks kicked several websites associated with the Ukrainian government\r\noffline. ESET researchers also observed a Go-based ransomware it tracks as HermeticRansom deployed during the\r\ncampaign. Following reports from ESET and other vendors, CrowdStrike began tracking the \"sophisticated wiper\"\r\nunder the name DriveSlayer.\r\nWhile analyzing DriveSlayer, CrowdStrike uncovered new insight into HermeticRansom, which it is tracking as\r\nPartyTicket.\r\nCrowdStrike provided further analysis in a blog post Tuesday where the security vendor said PartyTicket\r\nransomware \"superficially encrypts files\" due to implementation errors that make \"its encryption breakable and\r\nslow.\" While CrowdStrike did not attribute PartyTicket to a specific threat group, it did provide further insight into\r\nthe developer.\r\n\"This flaw suggests that the malware author was either inexperienced writing in Go or invested limited efforts in\r\ntesting the malware, possibly because the available development time was limited,\" the blog post said.\r\nCrowdStrike published a script in the blog post that will decrypt files that have been locked by PartyTicket. \"Due\r\nto the previously discussed implementation errors in the AES key generation, it is possible to recover the AES key\r\nused for encryption by PartyTicket,\" it explained.\r\nhttps://www.techtarget.com/searchsecurity/news/252514091/CrowdStrike-cracks-PartyTicket-ransomware-targeting-Ukraine\r\nPage 1 of 4\n\nA sample analysis revealed many symbols referencing the U.S. political system, such as President Joe Biden and\r\nthe White House. CrowdStrike observed that prior to encryption, the ransomware renamed the file using a format\r\nthat included the letters JB, which \"very likely stands for the initials of the United States president Joseph Biden.\"\r\nBased on the three factors including the deployment timing, political messaging and \"relative immaturity\" of the\r\nransomware, CrowdStrike said the primary use of PartyTicket is as an \"additional payload alongside DriveSlayer\r\nactivity, rather than as a legitimate ransomware extortion attempt.\"\r\nSimilarly, ESET researchers determined that the ransomware was potentially used to hide the actions of the data-wiping malware and did not mention any extortion motives. Several security vendors and threat analysts have\r\ntracked destructive malware attacks against various targets in Ukraine since Russia's invasion of the country began\r\nlast week.\r\nDig Deeper on Threats and vulnerabilities\r\nTop open source and commercial threat intelligence feeds\r\nBy: Karen Kent\r\nhttps://www.techtarget.com/searchsecurity/news/252514091/CrowdStrike-cracks-PartyTicket-ransomware-targeting-Ukraine\r\nPage 2 of 4\n\nCrowdStrike: Europe second only to North America for cyber attacks\r\nBy: Brian McKenna\r\nNews brief: KillSec, Yurei score successful ransomware attacks\r\nBy: Staff report\r\nhttps://www.techtarget.com/searchsecurity/news/252514091/CrowdStrike-cracks-PartyTicket-ransomware-targeting-Ukraine\r\nPage 3 of 4\n\nHow ESET is using AI PCs to boost endpoint security\r\nBy: Gabe Knuth\r\nSource: https://www.techtarget.com/searchsecurity/news/252514091/CrowdStrike-cracks-PartyTicket-ransomware-targeting-Ukraine\r\nhttps://www.techtarget.com/searchsecurity/news/252514091/CrowdStrike-cracks-PartyTicket-ransomware-targeting-Ukraine\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.techtarget.com/searchsecurity/news/252514091/CrowdStrike-cracks-PartyTicket-ransomware-targeting-Ukraine" ], "report_names": [ "CrowdStrike-cracks-PartyTicket-ransomware-targeting-Ukraine" ], "threat_actors": [], "ts_created_at": 1775439000, "ts_updated_at": 1775826727, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6e2747202cff01eeb80c44c377accc224d356fa1.pdf", "text": "https://archive.orkl.eu/6e2747202cff01eeb80c44c377accc224d356fa1.txt", "img": "https://archive.orkl.eu/6e2747202cff01eeb80c44c377accc224d356fa1.jpg" } }