{
	"id": "fb4b8c89-2350-431c-9e2d-6d768bdd236f",
	"created_at": "2026-04-06T00:22:19.905288Z",
	"updated_at": "2026-04-10T03:20:46.392574Z",
	"deleted_at": null,
	"sha1_hash": "a2efed5855ca66408881cc5481c83470e880055d",
	"title": "Technical Analysis of PartyTicket Ransomware | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 641980,
	"plain_text": "Technical Analysis of PartyTicket Ransomware | Zscaler\r\nBy Brett Stone-Gross\r\nPublished: 2022-02-25 · Archived: 2026-04-05 15:40:21 UTC\r\nKey Points\r\nPartyTicket is an unsophisticated and poorly designed ransomware family that is likely intended to be a diversion\r\nfrom the Hermetic wiper attack\r\nThe ransomware generates a single AES key that is used to encrypt targeted files in GCM mode\r\nFiles can be decrypted without having access to the RSA private key because the AES key is generated using a\r\nrandom function that is deterministic \r\nOn 23rd Feb 2022, a new sophisticated malware family known as Hermetic Wiper was discovered that targeted\r\norganizations in the Ukraine with an objective of destroying data and causing business disruption. Hermetic Wiper appears\r\nto have been used in conjunction with another malware family that disguises itself as ransomware. This secondary malware\r\nknown as PartyTicket has the SHA256 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 and was\r\nwritten using the Go programming language. The first PartyTicket sample that was submitted to a public malware repository\r\non 2022-02-23 22:29:59 UTC.\r\nPartyTicket is quite distinct from typical ransomware families in that the design and implementation looks rushed and\r\nunsophisticated. For example, PartyTicket does not terminate processes such as databases and other business applications\r\nprior to encryption. Therefore, the number of potential files that can be encrypted is limited since many applications may\r\nhave open file handles. In addition, the malware generates a 32 character alphanumeric key using the Go programming\r\nlanguage’s random function, which is deterministic. Therefore, the AES encryption key can be recovered and used to\r\ndecrypt files. PartyTicket also stands out with numerous references that mock U.S. President Joe Biden as shown in Figure\r\n1.\r\nFigure 1. PartyTicket code references mocking U.S. President Joe Biden\r\nThe malware takes a single command-line argument, which is the filename to encrypt. If the malware is launched without\r\nany arguments, it builds a list of files to encrypt. For every file in this list, the malware creates a new copy of itself using a\r\nname generated by calling the UUID Go library function, which is based on the current timestamp and system’s MAC\r\naddress.\r\nThe new PartyTicket copy is then executed passing a filename to encrypt. This design choice is very odd because it slows\r\nthe system down significantly, because a new process is created to encrypt every file. In addition, the numerous copies of the\r\nmalware that are created fill up disk space, since the malware binary is larger than 3MB. Figure 2 shows an example of the\r\nnumerous PartyTicket executables that were created during file encryption.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-partyticket-ransomware\r\nPage 1 of 4\n\nFigure 2. Copies of PartyTicket executables during file encryption \r\nPartyTicket enumerates all files that have the extensions shown in Table 1.\r\n.docx .doc .dot .odt\r\n.pdf .xls .xlsx .rtf\r\n.ppt .pptx .one .xps\r\n.pub .vsd .txt.jpg\r\n.jpeg .bmp .ico .png\r\n.gif .sql .xml .pgsql\r\n.zip .rar .exe .msi\r\n.vdi .ova .avi .dip\r\n.epub .iso .sfx inc\r\n.contact .url .mp3 .wmv\r\n.wma .wtv .cab .acl\r\n.cfg .chm .crt .css\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-partyticket-ransomware\r\nPage 2 of 4\n\n.dat .dll .html .htm\r\nTable 1. Extensions targeted by PartyTicket\r\nFiles that are located in the Windows and Program Files folders are skipped. Before file encryption, the targeted file is\r\nrenamed with the extension .[vote2024forjb@protonmail.com].encryptedJB as shown in Figure 3.\r\nFigure 3. Example file extension encrypted by PartyTicket\r\nThe malware embeds a hardcoded 2,048-bit RSA key that is Base64 encoded. The modulus and exponent after the string has\r\nbeen Base64 decoded is the following:\r\n{\"N\":25717750538564445875883770450315010157700597087507334907403500443913073702720939931824608270980020206566017538751505629\r\nPartyTicket uses this RSA public key to encrypt the AES key that is used for file encryption. Files are encrypted with AES in\r\nGCM mode using a 32-byte alphanumeric string that is created using the Go function math.rand.Int(), which is deterministic\r\nand therefore not cryptographically secure. The encrypted file format consists of the first 12 bytes used as the AES-GCM\r\nnonce, followed by the AES encrypted data, a 16-byte AES-GCM authentication tag, the RSA encrypted AES key, and\r\nfinally appended with the string marker ZVL2KH87ORH3OB1J1PO2SBHWJSNFSB4A.\r\nAfter each file is encrypted, the corresponding temporary copy of the ransomware is then deleted.\r\nThe ransom note is written to the user’s desktop using the filename read_me.html. An example ransom note, when rendered\r\nin a web browser, is shown in Figure 4.\r\nFigure 4. Example PartyTicket ransom note\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-partyticket-ransomware\r\nPage 3 of 4\n\nThe special ID value is generated by calling the Go UUID function and does not serve any purpose.\r\nZscaler coverage\r\nWe have ensured coverage for the payloads seen in these attacks via advanced threat signatures as well as our advanced\r\ncloud sandbox.\r\nAdvanced Threat Protection\r\nWin32.Trojan.HermeticWiper\r\nAdvanced Cloud Sandbox\r\nWin32.Trojan.HermeticWiper\r\nFigure 5 below shows the sandbox detection report for PartyTicket.\r\nFigure 5. Zscaler Cloud Sandbox Report - PartyTicket\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/technical-analysis-partyticket-ransomware\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-partyticket-ransomware\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/technical-analysis-partyticket-ransomware"
	],
	"report_names": [
		"technical-analysis-partyticket-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434939,
	"ts_updated_at": 1775791246,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a2efed5855ca66408881cc5481c83470e880055d.pdf",
		"text": "https://archive.orkl.eu/a2efed5855ca66408881cc5481c83470e880055d.txt",
		"img": "https://archive.orkl.eu/a2efed5855ca66408881cc5481c83470e880055d.jpg"
	}
}