{
	"id": "e5ac8512-9af3-4ce9-a32e-ff54b84dd8a5",
	"created_at": "2026-04-06T01:30:51.708049Z",
	"updated_at": "2026-04-10T03:22:10.070076Z",
	"deleted_at": null,
	"sha1_hash": "6fb8402b5f8504b47a5fe09e450af33bdf3a96d2",
	"title": "Help for Ukraine: Free decryptor for HermeticRansom ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2598940,
	"plain_text": "Help for Ukraine: Free decryptor for HermeticRansom\r\nransomware\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-06 00:28:56 UTC\r\nOn February 24th, the Avast Threat Labs discovered a new ransomware strain accompanying the data wiper\r\nHermeticWiper malware,  which our colleagues at ESET found circulating in the Ukraine. Following this naming\r\nconvention, we opted to name the strain we found piggybacking on the wiper, HermeticRansom. According to\r\nanalysis done by Crowdstrike’s Intelligence Team, the ransomware contains a weakness in the crypto schema and\r\ncan be decrypted for free.\r\nIf your device has been infected with HermeticRansom and you’d like to decrypt your files, click here to skip to\r\nthe How to use the Avast decryptor to recover files\r\nGo!\r\nThe ransomware is written in GO language. When executed, it searches local drives and network shares for\r\npotentially valuable files, looking for  files with one of the extensions listed below (the order is taken from the\r\nsample):\r\n.docx .doc .dot .odt .pdf .xls .xlsx .rtf .ppt .pptx .one.xps .pub .vsd .txt .jpg .jpeg .bmp .ico\r\n.png .gif .sql.xml .pgsql .zip .rar .exe .msi .vdi .ova .avi .dip .epub.iso .sfx .inc .contact .url\r\n.mp3 .wmv .wma .wtv .avi .acl.cfg .chm .crt .css .dat .dll .cab .htm .html .encryptedjb\r\nIn order to keep the victim’s PC operational, the ransomware avoids encrypting files in Program Files and\r\nWindows folders.\r\nFor every file designated for encryption, the ransomware creates a 32-byte encryption key. Files are encrypted by\r\nblocks, each block has 1048576 ( 0x100000 ) bytes. A maximum of nine blocks are encrypted. Any data past\r\n9437184 bytes ( 0x900000 ) is left in plain text. Each block is encrypted by AES GCM symmetric cipher. After\r\ndata encryption, the ransomware appends a file tail, containing the RSA-2048 encrypted file key. The public key\r\nis stored in the binary as a Base64 encoded string:\r\nEncrypted file names are given extra suffix:\r\n.[vote2024forjb@protonmail.com].encryptedJB\r\nhttps://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/\r\nPage 1 of 4\n\nWhen done, a file named “ read_me.html ” is saved to the user’s Desktop folder:\r\nThere is an interesting amount of politically oriented strings in the ransomware binary. In addition to the file\r\nextension, referring to the re-election of Joe Biden in 2024, there is also a reference to him in the project name:\r\nDuring the execution, the ransomware creates a large amount of child processes, that do the actual encryption:\r\nHow to use the Avast decryptor to recover files\r\nTo decrypt your files, please, follow these steps:\r\n1. Download the free Avast decryptor.\r\n2. Simply run the executable file. It starts in the form of a wizard, which leads you through the configuration\r\nof the decryption process.\r\n3. On the initial page, you can read the license information, if you want, but you really only need to click\r\n“ Next “\r\nhttps://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/\r\nPage 2 of 4\n\n4. On the next page, select the list of locations which you want to be searched and decrypted. By default, it\r\ncontains a list of all local drives:\r\n5. On the final wizard page, you can opt-in whether you want to backup encrypted files. These backups may\r\nhelp if anything goes wrong during the decryption process. This option is turned on by default, which we\r\nrecommend. After clicking “ Decrypt ”, the decryption process begins. Let the decryptor work and wait\r\nuntil it finishes.\r\nIOCs\r\nhttps://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/\r\nPage 3 of 4\n\nSHA256: 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382\r\nThreat Research Team\r\nThreat Research Team\r\nA group of elite researchers who like to stay under the radar.\r\nSource: https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/\r\nhttps://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/"
	],
	"report_names": [
		"help-for-ukraine-free-decryptor-for-hermeticransom-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775439051,
	"ts_updated_at": 1775791330,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6fb8402b5f8504b47a5fe09e450af33bdf3a96d2.pdf",
		"text": "https://archive.orkl.eu/6fb8402b5f8504b47a5fe09e450af33bdf3a96d2.txt",
		"img": "https://archive.orkl.eu/6fb8402b5f8504b47a5fe09e450af33bdf3a96d2.jpg"
	}
}