EN 
UA 
RU 
06.05.2022
WHAT'S NEW IN LABYRINTH DECEPTION PLATFORM: RELEASE 2.0.32
22.04.2022
Palo Alto Networks проінформувала про вразливості, які можуть дозволити зловмиснику відключити платформу Cortex XDR
20.04.2022
Advanced anti-DDoS solutions from A10 Networks are available for installation!
15.04.2022
Inspur Information Rated Gartner Hype Cycle Sample Vendor of Cloud-Optimized Hardware for Second Year
07.04.2022
FAST DELIVERY OF INFINIDAT AND INSPUR SOLUTIONS AVAILABLE NOW!
04.04.2022
Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities
26.03.2022
HOW NOT TO BECOME AN "UNWITTING ACCOMPLICE" OF RUSSIAN CYBER ATTACKS ON UKRAINIAN SYSTEMS (PART 3)
22.03.2022
CrowdStrike Falcon protects against new Wiper malware used in cyberattacks against Ukraine
20.03.2022
HOW TO NOT BECOME AN "UNCONSCIOUS ACCOMPLICE" TO RUSSIAN CYBER ATTACKS ON UKRAINIAN SYSTEMS (PART 2)
16.03.2022
A10 NETWORKS SECURITY RESEARCH: HOW NOT TO BECOME AN "UNCONSCIOUS ACCOMPLICE" TO RUSSIAN CYBERATTACKS ON UKRAINIAN SYSTEMS
23.02.2022
Демонстрація: CrowdStrike Falcon детектує набір вірусів WhisperGate
23.02.2022
Inspur — компанія №1 за часткою світового ринку AI-серверів!
18.02.2022
Відтепер компанія iIT Distribution – офіційний дистриб’ютор рішень Picus Security!
17.02.2022
Звіт про глобальні загрози 2022 року від CrowdStrike!
14.02.2022
iIT Distribution підписала партнерську угоду з компанією Inspur!
10.02.2022
Пост-реліз: Вебінар, присвячений оновленим можливостям Nakivo Backup & Replication v10.5
10.02.2022
Новітня розробка Falcon XDR від компанії CrowdStrike тепер доступна для користувачів!
02.02.2022
Знайомство з процесами Security Operations Center (SOC) та найкращі рекомендації для його ефективної роботи від Lepide
27.01.2022
Кібератака на українські державні сайти: що нам відомо сьогодні
21.01.2022
Технічний аналіз шкідливого завантажувача WhisperGate, націленого на українські організації
14.01.2022
CrowdStrike Services випускає Incident Response Tracker для спеціалістів DFIR (Digital Forensics and Incident Response)
12.01.2022
Експлойт noPac: Нова вразливість Microsoft AD може призвести до повної компрометації домену за лічені секунди
06.01.2022
7 IT-тенденцій 2022 року, які слід взяти на озброєння
30.12.2021
Витік секретних IP-адрес Pfizer не є рідкістю. Захистіть свої хмарні дані за допомогою проактивного шифрування
30.12.2021
6 афер, які слід уникати в ці новорічні свята: добірка рекомендацій від Panda Security
17.12.2021
Як CrowdStrike захищає клієнтів від загроз, пов'язаних з Log4Shell
16.12.2021
Що таке SCAR і якими технологіями керуються мисливці на загрози з команди Falcon OverWatch?
09.12.2021
Acra Community Edition 0.90.0: шифрування в SQL та NoSQL базах даних без додаткового програмування
08.12.2021
11 кроків до відновлення після фішингової атаки: рекомендації від Lepide
30.11.2021
Компанія Aruba (HPE) шістнадцятий рік поспіль визнається лідером у звіті Gartner Magic Quadrant for Enterprise Wired and WLAN Infrastructure 2021!
23.11.2021
Серія вебінарів від iIT Distribution & NAKIVO: твій надійний бекап!
21.11.2021
Рішення CrowdStrike Falcon отримало найвищу оцінку AAA за результатами тестування організації SE Labs
15.11.2021
Бізнес-вечеря CrowdStrike: як це було?
08.11.2021
iIT Distribution – офіційний дистриб'ютор компанії Nakivo!
05.11.2021
Компанію CrowdStrike визнали світовим лідером у галузі сучасного захисту кінцевих точок в останньому звіті IDC MarketScape!
03.11.2021
What is it the information security of the enterprise? What are the basic principles of data protection?
02.11.2021
CrowdStrike and AWS Expand Integrations to Provide Customers Multi-layered Protection Against Ransomware Attacks and Sophisticated Threats
29.10.2021
Global Threat Report 2021 від CrowdStrike вже доступний українською мовою!
25.10.2021
SDP чи VPN? (Чи обидва варіанти?)
19.10.2021
CrowdStrike представляє перший у своєму роді XDR Module, що забезпечує виявлення інцидентів у реальному часі й автоматичне реагування по всьому стеку безпеки
19.10.2021
Infinidat – лідер серед первинних систем зберігання даних згідно зі звітом Gartner Magic Quadrant 2021
18.10.2021
Компанія iIT Distribution отримала статус офіційного дистриб'ютора A10 Networks
11.10.2021
Впровадження інновації no-code в мережеві процеси
11.10.2021
iIT Distribution розширив арсенал своїх здобутків: фаховий сертифікат NetBrain Certified Platform Associate
05.10.2021
SuperMem: Безкоштовний інструмент CrowdStrike Incident Response для автоматизації обробки образів пам'яті
30.09.2021
Захід, що розширює кордони знань і можливостей: Перший Щорічний Форум з Кібербезпеки CS² DAY 2021 справив справжній фурор на гостей!
23.09.2021
На завершення знайомства з партнерами заходу CS² DAY представляємо компанію-системного інтегратора – CS Consulting!
21.09.2021
Провідний фахівець Security-підрозділу компанії IBM Віталій Воропай завітає на CS² DAY в якості спікера!
20.09.2021
Список спікерів Першого Щорічного Форуму з Кібербезпеки лише поповнюється: знайомтеся з Дмитром Петращуком від компанії IT-Specialist
20.09.2021
На CS² DAY виступлять представники державного сектору: Віктор Жора та Олександр Галущенко!
17.09.2021
Зустрічайте наступного запрошеного спікера довгоочікуваного CS² DAY – Олексія Зайончковського від компанії Netwave!
16.09.2021
Представляємо другого спікера CS² DAY: Михайло Кропива – InfoSec Director топової української IT-компанії SoftServe!
16.09.2021
Познайомтеся ближче з компанією-головним партнером CS² DAY та першим спікером заходу – Майклом Чальватцісом!
08.09.2021
iIT Distribution та CrowdStrike запрошують на CS² DAY – Перший Щорічний Форум з Кібербезпеки!
03.09.2021
Компанія iITD зібрала своїх партнерів на бізнес-вечері A10 Vendor`s Day
30.08.2021
Модель Zero Trust і система DLP: що нового розповіли наші представники та партнери на міжнародній конференції «Digital Change & Customers — Цифрові зміни та клієнтський сервіс»
05.08.2021
We invite you to the international conference "Digital Change & Customers”
28.07.2021
IT'S TIME TO STOP THE FEAR OF NEW TECHNOLOGIES: HOW CAN YOU CHANGE YOUR USUAL SOLUTION PROVIDERS AND IMPLEMENT MORE ADVANCED TECHNOLOGIES INTO YOUR INFRASTRUCTURE?
20.07.2021
Achieve petabyte-scale data protection with lightning-fast recovery!
12.07.2021
Infinidat — is the best choice for Gartner Peer Insights 2021 customers!
06.07.2021
CrowdStrike took first place in the market share of Modern Endpoint Security 2020!
05.07.2021
A10 Thunder ADC application delivery controller in our warehouse!
22.06.2021
The announcement of a new solution for storing InfiniBox SSA corporate class data from infinidat!
10.06.2021
The invitation to the third virtual forum CrowdStrike!
07.06.2021
The first deliveries of Aruba network equipment
01.06.2021
GTB Technologies comprehensive DLP solution received a certificate from the State Service for Special Communications and Information Protection of Ukraine
31.05.2021
How subtle attacks maximize hackers' profits and what defensive actions need to be taken immediately
19.05.2021
iIT Distribution is the official distributor of Automox
18.05.2021
A series of training workshops from CrowdStrike
11.05.2021
CrowdStrike has become the leader in the Gartner Magic Quadrant 2021 for the second time among endpoint protection platforms!
11.05.2021
Review of the new version of NetBrain Integrated Edition 10.0. Continuation
28.04.2021
Review of the new version of NetBrain Integrated Edition 10.0
26.04.2021
Infinidat is launching a partner accreditation program
16.04.2021
iIT Distribution is the official distributor of Lookout
12.04.2021
iIT Distribution expands its portfolio with networking solutions from Aruba Networks
12.04.2021
IIT Distribution received the status of a Business Partner in the Hewlett Packard Enterprise affiliate program
08.04.2021
Why should hosting providers pay attention to Infinidat data storage solution? Practical experience of use
05.04.2021
The ZTNA model helps reduce the stress loading of employees from remote work
30.03.2021
Сrowdstrike named leader in security Threat Detection, Response and Investigation of cyberincidents (MDMR)!
24.03.2021
Falcon X від CrowdStrike визнаний лідер у звіті Forrester Wave: External Threat Intelligence Services за перший квартал 2021 року!
15.03.2021
New Forrester study shows all the economic benefits of using the Falcon Complete!
02.03.2021
iITD is the official partner of the International Grand Forum "BIT & BIS-2021"!
24.02.2021
CrowdStrike has announced the acquisition of Humio's leading high-performance log management platform!
18.02.2021
Intelligent IT Distribution at the international conference "Go Digital - 2021: acceleration and migration. Money goes online".
08.02.2021
International Conference "Go Digital - 2021: acceleration and migration. Money goes online".
25.01.2021
Crowdstrike's response to recent supply chain attacks
08.10.2020
Intelligent IT Distribution takes part in the third annual international forum "Cybersecurity - protect business, protect the state"
29.09.2020
IITD - partner of the forum "Cybersecurity - protect business, protect the country" 2020
24.09.2020
iIT Distribution got the status of a distributor of Netbrain technologies solutions in the territory of Ukraine
28.08.2020
Fal.Con 2020 by CrowdStrike
25.08.2020
Compliance with cyberrisk insurance
25.08.2020
Automatically block compartment accounts with Lepide Active Directory Self Service 20.1
25.08.2020
Cossack Labs invites you to visit NONAMECON
22.07.2020
Signing a distribution agreement with SAFE-T
21.07.2020
International Conference "Online Banking - Time of Innovation!"
18.06.2020
Global Cyber Threat Report 2020
11.06.2020
Thursday, the 25-th of June, 2020. Do not miss!
20.05.2020
PandaLabs Report: Understanding Threats 2020
05.05.2020
Announcement: New version of ACRA Enterprise, which provides increased flexibility for high-loaded systems
13.04.2020
Lepide Remote Worker Monitoring Pack is a simple in deployment and lightweight security platform, which offers immediate protection of business data during an unforeseen period of remote work.
12.04.2020
Ensuring cybersecurity for remote users
08.04.2020
Labyrinth Technologies offers to take advantage of a special offer - a license for 12 months at a price of 6 months
07.04.2020
Crowdstrike: Remote work and IT security during the crisis - a reduced licensed program for 3-6 months
23.03.2020
IIT Distribution received the status of distributor solutions RedSeal Networks in Ukraine
23.03.2020
IIT DISTRIBUTION has received the status of a Lepide solutions distributor in Ukraine
16.03.2020
iIT Distribution starts distribution of Crowdstrike solutions in Ukraine
19.02.2020
On the 20-th of February in Kiev Annual Conference Ciso DX Day 2020 will be held
18.02.2020
IIT Distribution has received the status of a distributor of Instana solutions in Ukraine
On Feb. 23, 2022, destructive attacks were conducted against Ukrainian entities. Industry reporting has claimed the Go-based ransomware dubbed PartyTicket (or HermeticRansom) was identified at several organizations affected by the attack, among other families including a sophisticated wiper CrowdStrike Intelligence tracks as DriveSlayer (HermeticWiper).
Analysis of the PartyTicket ransomware indicates it superficially encrypts files and does not properly initialize the encryption key, making the encrypted file with the associated .encryptedJB extension recoverable.
Technical Analysis
A PartyTicket ransomware sample has a hash SHA256 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382. It has been observed associated with the file names cdir.exe, cname.exe, connh.exe and intpub.exe.
The ransomware sample — written using Go версії 1.10.1— contains many symbols that reference the U.S. political system, including voteFor403, C:/projects/403forBiden/wHiteHousE and primaryElectionProcess.
The ransomware iterates over all drive letters and recursively enumerates the files in each drive and its subfolders, excluding file paths that contain the strings Windows and Program Files, and the folder path C:\Documents and Settings (the latter folder was replaced in Windows versions later than Windows XP with C:\Users). Files with the following extensions are selected for encryption:
acl, avi, bat, bmp, cab, cfg, chm, cmd, com, contact, crt, css, dat, dip, dll, doc, docx, dot, encryptedjb, epub, exe, gif, htm, html, ico, in, iso, jpeg, jpg, mp3, msi, odt, one, ova, pdf, pgsql, png, ppt, pptx, pub, rar, rtf, sfx, sql, txt, url, vdi, vsd, wma, wmv, wtv, xls, xlsx, xml, xps, zip
For each file path that passes the previously described path and extension checks, the ransomware copies an instance of itself to the same directory it was executed from and executes via the command line, passing the file path as an argument. The parent ransomware process names its clones with a random UUID generated by a public library2 that uses the current timestamp and MAC addresses of the infected host’s network adapters.
The malware developer attempted to use Go’s WaitGroup types to implement concurrency; however, due to a likely coding error, the ransomware creates a very large number of threads (one per enumerated file path) and copies its own binary into the current directory as many times as there are selected files. After all encryption threads have ended, the original binary deletes itself via the command line.
When the sample receives a file path as an argument, it encrypts the file using AES in Galois/Counter Mode (GCM). The AES key is generated using the Go rand package’s Intn function to select offsets in the character array 1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ, generating a 32-byte key. Due to another likely coding error, the seed for the Intn function is updated after the key is generated, meaning the same AES key is generated each time the binary and its clones are run. All of the files encrypted on a host are encrypted with the same key, and knowledge of the corresponding PartyTicket sample’s key enables their decryption. A script using this flaw to recover the encrypted files is available on the CrowdStrike Git Repository.
For each file, the AES encryption key is itself encrypted with RSA-OAEP, using a public RSA key that has the following parameters:
Modulus (N): 0xcbb94cb189a638b51e7cfe161cd92edb7145ecbd93989e78c94f8c15c61829286fd834d80c931daed4acaba14835fd3a6721602bcaa7193245fc6cf8e1d3261460ff3f1cbae3d44690beb989adee69ac486a932ee44dbdf0a44e772ab9822a16753cd08bdbb169f866f722114ee69c0cf1588fdaf8f7efd1c3ed243786078593f9b0cd867bab2b170c1843660d16e2181ae679137e2650551a41631398e027206e22a55858c741079ceafd50d5bd69546d4d52f5a33b0a576e1750d3f83afa1ce4403d768cbd670b443f61794b44705a8b1132c0c0ce77dbd04053ba20aec9baf23944270f10d16ad0727ed490c91c7f469278827c20a3e560f7c84015f7e1b
Exponent (E): 0x10001
Before encryption, the ransomware renames the file using the format <original file name>.[[email protected][.]com].encryptedJB (“JB” very likely stands for the initials of the United States president Joseph Biden, given the other political content in the binary). The ransomware then overwrites the content with the encrypted data. PartyTicket will only encrypt the first 9437184 bytes (9.44 MB) of a file. If the file passed as an argument is larger than this limit, any data above it is left unencrypted. After the file contents are encrypted, PartyTicket appends the RSA-encrypted AES key at the end of the file.
The ransomware also writes an HTML ransom note on the user’s desktop directory with the name read_me.html (Figure 1). Unless they are intentional mistakes, grammar constructs within the note suggest it was likely not written or proofread by a fluent English speaker.
Figure 1. Ransom note
Assessment
CrowdStrike Intelligence does not attribute the CrowdStrike products activity to a named adversary at the time of writing.
The ransomware contains implementation errors, making its encryption breakable and slow. This flaw suggests that the malware author was either inexperienced writing in Go or invested limited efforts in testing the malware, possibly because the available development time was limited. In particular, PartyTicket is not as advanced as DriveSlayer, which implements low-level NTFS parsing logic. The relative immaturity and political messaging of the ransomware, the deployment timing and the targeting of Ukrainian entities are consistent with its use as an additional payload alongside DriveSlayer activity, rather than as a legitimate ransomware extortion attempt.
YARA Signatures
The following YARA rule can be used to detect PartyTicket:
Script to Decrypt PartyTicket Encrypted Files
Due to the previously discussed implementation errors in the AES key generation, it is possible to recover the AES key used for encryption by PartyTicket. The below Go script decrypts files encrypted by PartyTicket sample 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382. The script takes the file to be decrypted as an argument via the “-p” flag and saves the decrypted output to “decrypted.bin” in the same directory. The script can be built as an executable or run via the Go run package; it was tested using Go version go1.16.6.
Learn how to protect your organization from modern cyberattacks by using CrowdStrike products.
iIT Distribution as the official distributor of CrowdStrike solutionsthat enable companies to use advanced technologies to build uninterrupted protection of their IT infrastructures. We work closely with our clients, providing a full range of project support services.
Back
Facebook
LinkedIn
YouTube