Hermes

Hermes targets Windows OS and its method of distribution is currently unknown. Once a system is infected, Hermes copies itself to C:\Users\Public\Reload.exe, executes, and then launches system_.bat to delete the original installation file. It then scans the infected system and unmapped network shares for targeted extensions and encrypts them using AES but does not append any extensions onto the encrypted file names. It does add the file marker, “HERMES,” at the end of the encrypted file contents. It deletes Shadow Volume Copies to prevent file restoration by the victim. It drops a ransom note named DECRYPT_INFORMATION.html and another file named UNIQUE_ID_DO_NOT_REMOVE in each folder containing encrypted files. The ransom payment amount is currently unknown but does offer to decrypt three of the victim’s files for free and provides the attacker’s contact information in the form of a Bitmessage address and an email address.

UPDATE 02/08/2018: A new version of Hermes that uses a new filemarker at the end of the file with an encrypted AES-256 key binary large object (BLOB) per file was discovered by MalwareHunterTeam and analyzed by security researcher Michael Gillespie.

  • Bleeping Computer provides more information about Hermes here.
  • Security researcher Michael Gillespie provides a free decryption tool for Hermes here.
Ransomware VariantsNJCCICHermes