From the Labs: YARA Rule for Detecting HermeticRansom

ReversingLabs analysts work constantly to respond to new threats and provide our customers with information and tools to defend their systems from attacks. Written by our threat analysts, our high-quality, open source YARA rules help threat hunters, incident responders, security analysts, and other defenders detect malicious behavior in their environment.

In this series, we break down some of the threats behind our YARA detection rules that can help your organization detect threats within your environment.

HermeticRansom: A cyber warfare tool

Right at the start of Russia’s war on Ukraine, the cybersecurity community was made aware of the first instance in which malware was used as a cyber warfare tool in the Russo-Ukrainian war. It was on February 23, 2022 that ESET Research shared a tweet noting their discovery of a data wiper malware being used in Ukraine, which they dubbed HermeticWiper. This was a far reaching attack that was installed on hundreds of machines in the country just hours before Russia’s armed forces invaded Ukraine. And shortly after HermeticWiper was made known to the security community, researchers began to discover more tools used in this attack.

In another tweet posted not long after ESET’s, Avast Threat Labs shared that in addition to HermeticWiper, there was also a golang-based ransomware targeting systems in Ukraine, known as HermeticRansom (aka Elections GoRansom, aka PartyTicket). Based on researchers' analysis of HermeticRansom’s malware, it is believed that the ransomware acted as a decoy, so that HermeticWiper could cause more undetected damage to Ukrainian organizations.

Here's how this ransomware was used to further attacks on organizations in Ukraine, as well as why it was made an essential tool by attackers.

How HermeticRansom works

Regarding its functionality, HermeticRansom follows the classic ransomware model of infecting a victim’s network, encrypting the network’s files, and leaving a ransom note for victims to read once their system has been infected. But unlike other ransomware strains, which tend to be difficult to decrypt due to their complex and well orchestrated components, HermeticRansom is far less complex. Multiple research teams agree that the attackers behind HermeticRansom used a non-sophisticated style to build it, and did not include skilled techniques such as obfuscation.

In Securelist’s technical analysis of the ransomware, researchers detail the infection and encryption process for HermeticRansom, which includes a strange encryption workflow and a sarcastic naming convention for its malware structures and methods related to U.S. presidential elections. Securelist researchers believe, based on HermeticRansom’s use of simple coding as well as multiple spelling and grammar errors made in the ransom note, that this ransomware was designed and launched in a hurry.

It also did not serve like a typical modern ransomware strain that uses double extortion to inflict financial and reputational damage on organizations. This makes it likely that HermeticRansom was a last-minute operation, made to solely boost the effectiveness of its more mature and impactful counterpart: HermeticWiper.

HermeticRansom's impact

Considering HermeticRansom’s connection to HermeticWiper, and researchers’ assessment that the ransomware was an impromptu effort, it’s likely that HermeticRansom served as a reuse in attackers’ plans to wipe data off of Ukrainian networks. While being infected with ransomware is no joke, HermeticRansom was not the most destructive tool in these attackers’ arsenal. However, it does hold great significance in this cyber attack, considering that without it, HermeticWiper may not have been as successful.

The possible long-term impact of HermeticRansom was shortened by researchers who identified the ransomware’s weaknesses. Security firm Crowdstrike managed to spot implementation errors, which they believe made HermeticRansom’s encryption “breakable and slow.” Based on this discovery, security firm Avast released a free decryptor for HermeticRansom, just 10 days after it initially hit Ukrainian systems. Avast made the decryptor free in an effort to help impacted Ukrainians restore their data quickly and reliably.

What can be learned from the case of HermeticRansom is that cyber attacks, and in this case cyber warfare, can use more than one tool to launch a successful campaign. The attackers behind HermeticRansom not only relied on ransomware to create a smokescreen, but they also designed worms that spread the attack to targets, and launched the final blow to these organizations with the destructive HermeticWiper malware.

Detecting HermeticRansom

While a free decryptor exists for HermeticRansom, and the ransomware has been known to only target entities in Ukraine, it is essential that organizations protect themselves from becoming infected with it. ReversingLabs’ HermeticRansom YARA rule is designed to detect the ransomware within your environment with high fidelity and almost no false-positives.

Download the HermeticRansom YARA Rule here:

Win64.Ransomware.HermeticRansom.yara

To learn more about the prerequisites for using ReversingLabs’ YARA rules, consult our Github page. To learn more about how our threat analysts write these YARA rules, read this blog post from ReversingLabs threat analyst Laura Dabelić.

About ReversingLabs

ReversingLabs' team of analysts are constantly surveying the threat landscape in an effort to better serve our customers and the greater security community. Contact us if you’d like to learn more about how we help organizations combat threats like malicious wipers and ransomware, or to schedule a demonstration.