Crypto-ransomware viruses refuse to be overshadowed by other malware threats and sustain a position of being one of the most fearsome infections around. Next to the fact that it invades your privacy, it also uses elaborate cryptography to turn your files to dust. Hermes ransomware is another disruptive sample from this bloodthirsty clan, originating from the darkest corners of the Internet. Despite the fact that this variant officially claims that it operates with RSA-2048 cipher as the main weapon against users’ files, security researchers are more convinced that it proceeds with AES instead. Hackers narrate the way the plot should arrange itself after users are informed about Hermes infection: they are supposedly expected to contact the creators of this infection via two possible email addresses: [email protected] or [email protected]. People that control these emails will use every kind of intimidation they can think of in order to persuade victims into paying the required sums of money. In the note, there is no set amount indicated, which means that users will have to inquire about this during their email conversation with the crooks. Even though hackers instigate you to contact them, but we are sure that this alleged co-operation cannot possibly bring any positive results. Unless crooks agree to encrypt some of the encrypted files as proof that they indeed have the necessary decryption software.
The Olympian God turned evil: Hermes ransomware
If you have had any interest in the cultural heritage of exceptional countries, specifically Greek religion and mythology, you should be able to recognize the name that was selected for this ransomware virus. Hermes is a Greek God, but now this title is reduced to a vicious malware infection. Sample corrupts files with AES algorithm in the hopes of receiving money and planning future trips to exotic places and sipping cold beverages. Do not let hackers profit from their crimes and do whatever you can to force them to face justice. Since it is quite difficult to participate in such hunt for hackers, we hope that at least you won’t support them financially. Hermes virus slithers into your system without any warnings, makes modifications to your Windows Registry keys, contacts its C&C server and then, step by step, concludes the crucial encryption process.
Files that become affected by AES ciphers are joined by .hermes extension at the end. This is a common feature among ransomware infections, as most of them mark the data they successfully corrupt. To inform a victim of a current situation he/she is unfortunately stuck in, crooks also drop a DECRYPT_INFORMATION.html file which will open in your preferred browser and display the message above. According to the made statements, another file should be seen on your desktop and in a couple of other locations: UNIQUE_ID_DO_NOT_REMOVE. When you first contact the crooks via email, you are supposed to send them this file. This is done to help hackers sort out the victims since they can receive a great deal of ID numbers when the ransomware payload contacts the C&C server. When hackers are informed about the amounts of files that have been encrypted, they are able to generate a ransom accordingly.
Recovery of files: can Hermes be lenient to its victims?
We are convinced that Hermes won’t be interested in a good reputation: it would rather embrace its vicious-virus status. That is why there is no reason to beg for forgiveness. What you should do is contact the hackers via their provided emails and request them to encrypt 3 files. Attempt to pick the biggest corrupted executables. After you receive them back, do not hesitate to send these examples to security researchers. There is a considerable probability that such executables will greatly increase the chances of free file-recovery. You can also check whether Hermes virus deletes all Shadow Volume Copies and whether universal file-recovery tools would work to some extent. The most positive news would be that you carefully store your files in backup storages: then, you are able to retrieve them anytime.
Disguises that Hermes ransomware can use in order to infect systems
Is your operating system taken under a wing of first-rate anti-malware tools? It is not? Then your system is even more exposed to malware threats. Systems can be surviving in dangerous conditions, but how long will they last against devious ransomware infections? Payloads of ransomware can be hiding under normally-looking executables that are noticed as attachments to various email letters. It has become a ritual of some sort, to always remind our visitors that they have to make sure that the email letter they have received is actually legitimate and not a part of a malicious spam campaign. If user is quite naive and clumsy, he/she might open an email attachment without any much thought. This is not an action that you should pursue if your goal is to keep your system running malware-free.
Since we have mentioned malware tools, we should also observe the possible options for removal of Hermes virus. The most recommended decision would be to install an anti-malware tool and use it to eliminate the ransomware. Spyhunter or Hitman are the perfect candidates to support your security. We also provide our visitors with guides to file-recovery and manual removal. Find them as you scroll down.
Update of 20th of February, 2017. Emsisoft CTO and Head of our Malware Research Lab, Fabian Wosar, decided to stream its journey to creating a decrypter for Hermes ransomware. Even though it appears that his efforts have paid off, an actual tool is not yet available. We will update our article as soon as Emsisoft announces that it has been successfully developed.
Update: the decrypter is now available at here: link. You can download it for free and successfully decrypt your files.
Update of the 20th of March, 2017. A month ago, Hermes ransomware was decrypted. However, security researchers detected a second version of this infection.