Hermes targets Windows OS and its method of distribution is currently unknown. Once a system is infected, Hermes copies itself to C:\Users\Public\Reload.exe, executes, and then launches system_.bat to delete the original installation file. It then scans the infected system and unmapped network shares for targeted extensions and encrypts them using AES but does not append any extensions onto the encrypted file names. It does add the file marker, “HERMES,” at the end of the encrypted file contents. It deletes Shadow Volume Copies to prevent file restoration by the victim. It drops a ransom note named DECRYPT_INFORMATION.html and another file named UNIQUE_ID_DO_NOT_REMOVE in each folder containing encrypted files. The ransom payment amount is currently unknown but does offer to decrypt three of the victim’s files for free and provides the attacker’s contact information in the form of a Bitmessage address and an email address.