Cybersecurity firm Avast released a free decryptor that allows to restore files encrypted by the HermeticRansom ransomware, a new ransomware strain found circulating in Ukraine.
First attacks involving the Go-based HermeticRansom ransomware (tracked by CrowdStrike as ‘PartyTicket’) were discovered by ESET researchers on February 23, just before the Russian troops crossed country’s borders and started attacking Ukrainian cities and critical infrastructure.
The malware was delivered along with a new data wiper, dubbed ‘IsaacWiper,’ and a new worm named ‘HermeticWizard.’ According to CrowdStrike’s analysis, HermeticRansom contains a weakness in the cryptographic algorithm and can be decrypted for free.
“Analysis of the PartyTicket ransomware indicates it superficially encrypts files and does not properly initialize the encryption key, making the encrypted file with the associated .encryptedJB extension recoverable,” CrowdStrike wrote in a technical analysis.
Despite the flaw in its crypto scheme, HermeticRansom still poses risk, as it can encrypt valuable files outside the Program Files and Windows folders using an RSA-2048 key, the researchers have warned.
Cybersecurity Help’s statement on the critical situation in Ukraine
On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war!