HermeticWiper and PartyTicket Targeting Computers in Ukraine

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

This report is a technical overview of the HermeticWiper and PartyTicket malware reported by ESET and Symantec on February 23, 2022. The malware was primarily delivered to Ukrainian organizations coincident with the Russian invasion of Ukraine. It is intended for those looking for a high-level overview of the malware’s TTPs and mitigations.

Executive Summary

Insikt Group analyzed the HermeticWiper malware and the associated ransomware component named PartyTicket that were first publicly reported targeting Ukrainian organizations on February 23, 2022. We determined that both components serve the purpose of data destruction, with the “ransomware” component differing significantly in form and function from known criminal ransomware threats.

Key Judgments

• The use of a wiper malware with an associated destructive ransomware component is similar in method to WhisperGate, NotPetya, and other operations credited to Sandworm.
• There is insufficient evidence at this time to attribute HermeticWiper to the Russian state, but the timing of the mass deployment of HermeticWiper with kinetic attacks and other cyberattacks on Ukraine, and a methodology similar to past attacks by Russian government-associated actors, lends credence to such an attribution.
• The PartyTicket ransomware attacks are unlikely to be a true ransomware campaign conducted for financial gain. It is more likely that the ransomware component is a ruse and the real purpose of the attacks are disruption and data destruction.

Editor’s Note: This post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.