{ "id": "d792826a-de6a-4e8c-b651-b1263dada48c", "created_at": "2026-04-06T00:10:45.69632Z", "updated_at": "2026-04-10T03:20:23.117165Z", "deleted_at": null, "sha1_hash": "b223476f227d3fe7770e2e738230a2db68077806", "title": "Free decryptor released for HermeticRansom victims in Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1878244, "plain_text": "Free decryptor released for HermeticRansom victims in Ukraine\r\nBy Bill Toulas\r\nPublished: 2022-03-03 ยท Archived: 2026-04-05 16:15:29 UTC\r\nAvast has released a decryptor for the HermeticRansom ransomware strain used in targeted attacks against Ukrainian\r\nsystems over the past ten days.\r\nThe decryptor is offered as a free-to-download tool from Avast's website and can help Ukrainians restore their data quickly\r\nand reliably.\r\nThe first signs of HermeticRansom's distribution were observed by ESET researchers on February 23, mere hours before the\r\ninvasion of Russian troops unfolded in Ukraine.\r\nhttps://www.bleepingcomputer.com/news/security/free-decryptor-released-for-hermeticransom-victims-in-ukraine/\r\nPage 1 of 5\n\nhttps://www.bleepingcomputer.com/news/security/free-decryptor-released-for-hermeticransom-victims-in-ukraine/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nA weak decoy\r\nThe ransomware strain was delivered along with a computer worm named HermeticWizard and served more as a decoy in\r\nwiper attacks rather than a tool to support financial extortion. Still, its infections have disrupted vital Ukrainian systems.\r\nCrowdstrike was quick to spot a weakness in the cryptographic schema of the GO-written strain and offered a script to\r\ndecrypt the files encrypted by HermeticRansom (aka PartyTicket).\r\n\"The ransomware contains implementation errors, making its encryption breakable and slow. This flaw suggests that the\r\nmalware author was either inexperienced writing in Go or invested limited efforts in testing the malware, possibly because\r\nthe available development time was limited,\" explains Crowdstrike in a new blog post released on Tuesday.\r\nAs BleepingComputer explained on Twitter, the HermeticRansom contains numerous politically oriented string names in the\r\nransomware binary, ransom note, and contact emails (vote2024forjb@protonmail.com and\r\nstephanie.jones2024@protonmail.com).\r\nHermeticRansom was never meant to serve as a modern ransomware strain that would lay the ground for double extortion,\r\ninflicting financial and reputational damage.\r\nStill a danger\r\nThe above doesn't mean that HermeticRansom infections don't impact the targeted machines.\r\nOn the contrary, this strain can still encrypt valuable files outside the Program Files and Windows folders, using an RSA-2048 key.\r\nThe ransom note seen by the victims has a typical form and content, asking them to contact a ProtonMail address to acquire\r\na decryptor.\r\nHermeticRansom/PartyTicket ransom note\r\nNew decryptor recovers files\r\nAlthough Crowdstrike's script is reliable, it's not easy for everyone to use it in this situation. To make it easier, Avast has\r\nreleased a GUI decryptor that makes it easier to decrypt files encrypted by HermeticRansom.\r\nAlso, the tool offers the option to backup the encrypted files to avoid ending up with irreversibly corrupted files if something\r\ngoes wrong with the encryption process.\r\nhttps://www.bleepingcomputer.com/news/security/free-decryptor-released-for-hermeticransom-victims-in-ukraine/\r\nPage 3 of 5\n\nAvast's graphical decryptor\r\nFor a step-by-step guide on how to use the decryptor, you can start from here.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nhttps://www.bleepingcomputer.com/news/security/free-decryptor-released-for-hermeticransom-victims-in-ukraine/\r\nPage 4 of 5\n\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-hermeticransom-victims-in-ukraine/\r\nhttps://www.bleepingcomputer.com/news/security/free-decryptor-released-for-hermeticransom-victims-in-ukraine/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-hermeticransom-victims-in-ukraine/" ], "report_names": [ "free-decryptor-released-for-hermeticransom-victims-in-ukraine" ], "threat_actors": [], "ts_created_at": 1775434245, "ts_updated_at": 1775791223, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b223476f227d3fe7770e2e738230a2db68077806.pdf", "text": "https://archive.orkl.eu/b223476f227d3fe7770e2e738230a2db68077806.txt", "img": "https://archive.orkl.eu/b223476f227d3fe7770e2e738230a2db68077806.jpg" } }