{ "id": "cb36aebe-d919-4028-b66f-790f111e73a2", "created_at": "2026-04-06T00:18:49.989913Z", "updated_at": "2026-04-10T03:24:29.304553Z", "deleted_at": null, "sha1_hash": "ff4ec22baa724cd0312ad403d0c5b1d8595902df", "title": "Ransomware as a distraction", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 181887, "plain_text": "Ransomware as a distraction\r\nBy Editorial Team\r\nPublished: 2022-03-01 · Archived: 2026-04-02 12:03:45 UTC\r\n Ransomware\r\nHermeticRansom cryptor was used as a distraction to support HermeticWiper attacks.\r\nMarch 1, 2022\r\nOur researchers analyzed the HermeticRansom malware also known as Elections GoRansom. By and large, this is\r\na fairly simple cryptor. What is interesting in this case is the purpose for which attackers are using it.\r\nHermeticRansom goals\r\nHermeticRansom attacked computers at the same time as another malware known as HermeticWiper, and based\r\non publicly available information from security community, it was used in recent cyberattacks in Ukraine.\r\nAccording to our experts, the relative simplicity and questionable malware workflow implementation suggests\r\nthat HermeticRansom was used as a smokescreen for HermeticWiper attacks.\r\nWhat HermeticRansom is capable of\r\nhttps://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/\r\nPage 1 of 3\n\nOnce infecting the victim’s computer, the malware first identifies hard drives and collects a list of directories and\r\nfiles located everywhere except for the Windows and Program Files folders. It then encrypts certain categories of\r\nfiles and renames them adding а .encrypted tag and the email address of the ransomware operators. The malware\r\nalso creates a read_me.html file in the Desktop folder containing a ransom note with the attackers’ contacts. The\r\nnote looks like this:\r\nRansom note left by HermeticRansom malware\r\nHermeticRansom encrypts files with following extensions: .inf, .acl, .avi, .bat, .bmp, .cab, .cfg, .chm, .cmd, .com,\r\n.crt, .css, .dat, .dip, .dll, .doc, .dot, .exe, .gif, .htm, .ico, .iso, .jpg, .mp3, .msi and odt.\r\nHermeticRansom peculiarities\r\nHermeticRansom is written in Golang. It does not use any obfuscation mechanisms, and the encryption method\r\nitself is rather cumbersome and inefficient. Judging by these and some other signs, our experts think that this\r\nmalware was created in a hurry.\r\nYou can find a more detailed technical analysis of the malware along with indicators of compromise on our\r\nSecurelist blog.\r\nHow to stay safe\r\nKaspersky Lab security solutions successfully detect HermeticRansom malware and similar threats. We have a\r\nrange of tools to protect both home computers and corporate infrastructure, including:\r\nKaspersky Internet Security: our multi-platform security solution for home users;\r\nKaspersky Endpoint Security Cloud: our solution for business protection;\r\nKaspersky Anti-Ransomware Tool: our free corporate solution that can work as an additional layer of\r\nprotection in parallel with products from other vendors.\r\nhttps://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/\r\nPage 2 of 3\n\nTips\r\nSource: https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/\r\nhttps://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/" ], "report_names": [ "43825" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434729, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ff4ec22baa724cd0312ad403d0c5b1d8595902df.pdf", "text": "https://archive.orkl.eu/ff4ec22baa724cd0312ad403d0c5b1d8595902df.txt", "img": "https://archive.orkl.eu/ff4ec22baa724cd0312ad403d0c5b1d8595902df.jpg" } }