Party Ticket Ransomware Unearthed
A new sophisticated malware family known as Hermetic Wiper was discovered that targeted organizations in the Ukraine with an objective of destroying data and causing business disruption. Hermetic Wiper appears to have been used in conjunction with another malware family that disguises itself as ransomware. This secondary malware known as PartyTicket was written using the Go programming language.
PartyTicket is quite distinct from typical ransomware families in that the design and implementation looks rushed and unsophisticated. PartyTicket does not terminate processes such as databases and other business applications prior to encryption. Therefore, the number of potential files that can be encrypted is limited since many applications may have open file handles.
The malware generates a 32 character alphanumeric key using the Go programming language’s random function, which is deterministic. Therefore, the AES encryption key can be recovered and used to decrypt files.
The malware takes a single command-line argument, which is the filename to encrypt. If the malware is launched without any arguments, it builds a list of files to encrypt. For every file in this list, the malware creates a new copy of itself using a name generated by calling the UUID Go library function, which is based on the current timestamp and system’s MAC address.
The new PartyTicket copy is then executed passing a filename to encrypt. This design choice is very odd because it slows the system down significantly, because a new process is created to encrypt every file. In addition, the numerous copies of the malware that are created fill up disk space, since the malware binary is larger than 3MB.
PartyTicket uses this RSA public key to encrypt the AES key that is used for file encryption. Files are encrypted with AES in GCM mode using a 32-byte alphanumeric string that is created using the Go function math.rand.Int(), which is not cryptographically secure. The encrypted file format consists of the first 12 bytes used as the AES-GCM nonce, followed by the AES encrypted data, a 16-byte AES-GCM authentication tag, the RSA encrypted AES key, and finally appended with the string marker ZVL2KH87ORH3OB1J1PO2SBHWJSNFSB4A.
After each file is encrypted, the corresponding temporary copy of the ransomware is then deleted.