Once infiltrated, Hermes encrypts files using RSA-2048 cryptography. This malware does not append extensions to the encrypted files. Following successful encryption, Hermes creates an HTML file containing a ransom-demand message (“DECRYPT_INFORMATION.html”), placing in each folder containing encrypted files. It also provides a UNIQUE_ID_DO_NOT_REMOVE file that victims are encouraged to attach to email messages when communicating with the cyber criminals responsible for this malware. When Hermes is executed, it will also use a User Account Control, or UAC, bypass called Eleven, or Elevation by environment variable expansion, to delete a victim’s Shadow Volume Copies and backup files.
Hermes uses a UAC bypass to execute a batch file called shade.bat. This batch file, shown below, will not only delete the computer’s shadow volumes, but will also delete backup images that may be present on the computer. It does this to prevent a victim from restoring encrypted files from a backup.
The backup images that are deleted are ones that match the following filenames:
*.VHD, *.bac, *.bak, *.wbcat, *.bkf, Backup*.*, backup*.*, *.set, *.win, *.dsk
When the Hermes Ransomware is executed, it will copy itself to C:\Users\Public\Reload.exe and execute itself. It will then launch a batch file called system_.bat, which is used to delete the original installer as shown below.
Files associated with the Hermes Ransomware
C:\Eleven\Microsoft\Windows\Start Menu\Programs\Administrative Tools
C:\Eleven\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk
Registry entries associated with the Hermes Ransomware
Use Max Total Security to prevent damage to your files and save yourself from paying ranson to such Malware.