A look at PartyTicket Ransomware targeting Ukrainian systems

By

The conflict between Russia and Ukraine has quickly escalated from the ground onto the cyberspace. Last week, the Sonicwall Capture Labs Research team has analyzed the HermeticWiper malware attack that was targeting Ukraine in this article. This week we take a look at the ransomware that was believed to have been deployed in conjunction with the aforementioned data wiping malware.

Infection Cycle:

The ransomware arrives as a Windows executable. Once executed it spawns conhost exe which then spawns cmd exe to carry out its functionality.

Cmd creates a temporary copy of the ransomware which then encrypts a target file.

This simultaneous action of create, encrypt, delete bogs down the system and just makes the entire process really slow. Below is an example of how many copies of itself was created in a span of a few minutes trying to encrypt a system.

The following file extensions are targeted for encryption:

acl.avi.bat.bmp.cab.cfg.chm.cmd.com.crt.css.dat.dip.dll.doc.dot.exe.gif.htm.ico.iso.jpg.mp3.msi.odt.one.ova.pdf.png.ppt.pub.rar.rtf.sfx.sql.txt.url.vdi.vsd.wma.wmv.wtv.xls.xml.xps.zip

Encrypted files have an appended file extension of “[vote2024forjb@protonmail.com].encryptedJB”

A ransom note named “Read.me.html” is added on desktop.

There are references to the US President in the module/project names used in the file as evident in the strings below possibly to obscure the real source of malware or mislead researchers.

Overall this is an unsophisticated ransomware that appears to be created in a rush.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: PartyTicket.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

 

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.